From 1a88883a3b1dc5c4ac69f100501f982b86d02159 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 6 Feb 2025 13:51:46 +0100 Subject: [PATCH 1/7] Update cilium v1.16.6 (#618) ## Summary by CodeRabbit - **New Features** - Enhanced proxy configuration with dedicated endpoints for metrics, administration, and health checks. - **Documentation** - Updated displayed version number and badge to v1.16.6 for improved clarity. - **Chores** - Upgraded component versions and image digests from v1.16.5 to v1.16.6. - Streamlined configuration by removing legacy conditional settings and obsolete CORS directives. - Refined formatting of tag filters for clearer configuration management. --- .../system/cilium/charts/cilium/Chart.yaml | 4 +- .../system/cilium/charts/cilium/README.md | 16 +- .../configmap/bootstrap-config.json | 471 ------------------ .../configmap/bootstrap-config.yaml | 280 +++++++++++ .../templates/cilium-agent/daemonset.yaml | 7 - .../cilium/templates/cilium-configmap.yaml | 6 +- .../templates/cilium-envoy/configmap.yaml | 5 +- .../cilium/templates/hubble-ui/_nginx.tpl | 12 - .../system/cilium/charts/cilium/values.yaml | 32 +- .../system/cilium/images/cilium/Dockerfile | 2 +- 10 files changed, 312 insertions(+), 523 deletions(-) delete mode 100644 packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json create mode 100644 packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml diff --git a/packages/system/cilium/charts/cilium/Chart.yaml b/packages/system/cilium/charts/cilium/Chart.yaml index ab0b2c0f..abb59fd7 100644 --- a/packages/system/cilium/charts/cilium/Chart.yaml +++ b/packages/system/cilium/charts/cilium/Chart.yaml @@ -79,7 +79,7 @@ annotations: Pod IP Pool\n description: |\n CiliumPodIPPool defines an IP pool that can be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n" apiVersion: v2 -appVersion: 1.16.5 +appVersion: 1.16.6 description: eBPF-based Networking, Security, and Observability home: https://cilium.io/ icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg @@ -95,4 +95,4 @@ kubeVersion: '>= 1.21.0-0' name: cilium sources: - https://github.com/cilium/cilium -version: 1.16.5 +version: 1.16.6 diff --git a/packages/system/cilium/charts/cilium/README.md b/packages/system/cilium/charts/cilium/README.md index 78311316..7737f8b9 100644 --- a/packages/system/cilium/charts/cilium/README.md +++ b/packages/system/cilium/charts/cilium/README.md @@ -1,6 +1,6 @@ # cilium -![Version: 1.16.5](https://img.shields.io/badge/Version-1.16.5-informational?style=flat-square) ![AppVersion: 1.16.5](https://img.shields.io/badge/AppVersion-1.16.5-informational?style=flat-square) +![Version: 1.16.6](https://img.shields.io/badge/Version-1.16.6-informational?style=flat-square) ![AppVersion: 1.16.6](https://img.shields.io/badge/AppVersion-1.16.6-informational?style=flat-square) Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as @@ -83,7 +83,7 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true | | authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. | -| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:d75b758a4fea99ffff4db799e16f853bbde8643671b5b72464a8ba94cbe3dbe3","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server | +| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:71b79694b71639e633452f57fd9de40595d524de308349218d9a6a144b40be02","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server | | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into | | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration | | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations | @@ -182,7 +182,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | | clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. | -| clustermesh.apiserver.image | object | `{"digest":"sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.5","useDigest":true}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.6","useDigest":true}` | Clustermesh API server image. | | clustermesh.apiserver.kvstoremesh.enabled | bool | `true` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. | | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. | | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. | @@ -353,7 +353,7 @@ contributors across the globe, there is almost always someone available to help. | envoy.extraVolumes | list | `[]` | Additional envoy volumes. | | envoy.healthPort | int | `9878` | TCP port for the health API. | | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s | -| envoy.image | object | `{"digest":"sha256:709c08ade3d17d52da4ca2af33f431360ec26268d288d9a6cd1d98acc9a1dced","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8","useDigest":true}` | Envoy container image. | +| envoy.image | object | `{"digest":"sha256:a69dfe0e54b24b0ff747385c8feeae0612cfbcae97bfcc8ee42a773bb3f69c88","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.30.9-1737073743-40a016d11c0d863b772961ed0168eea6fe6b10a5","useDigest":true}` | Envoy container image. | | envoy.initialFetchTimeoutSeconds | int | `30` | Time in seconds after which the initial fetch on an xDS stream is considered timed out | | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe | | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe | @@ -485,7 +485,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. | | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay | | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay | -| hubble.relay.image | object | `{"digest":"sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.5","useDigest":true}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.6","useDigest":true}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -591,7 +591,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.5","useDigest":true}` | Agent container image. | +| image | object | `{"digest":"sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.6","useDigest":true}` | Agent container image. | | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. | @@ -718,7 +718,7 @@ contributors across the globe, there is almost always someone available to help. | operator.hostNetwork | bool | `true` | HostNetwork setting | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0","awsDigest":"sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476","azureDigest":"sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9","genericDigest":"sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.5","useDigest":true}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9","awsDigest":"sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d","azureDigest":"sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd","genericDigest":"sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.6","useDigest":true}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -768,7 +768,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.5","useDigest":true}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.6","useDigest":true}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | diff --git a/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json b/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json deleted file mode 100644 index ef47695b..00000000 --- a/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json +++ /dev/null @@ -1,471 +0,0 @@ -{ - "node": { - "id": "host~127.0.0.1~no-id~localdomain", - "cluster": "ingress-cluster" - }, - "staticResources": { - "listeners": [ - {{- if .Values.envoy.prometheus.enabled }} - { - "name": "envoy-prometheus-metrics-listener", - "address": { - "socket_address": { - "address": "0.0.0.0", - "port_value": {{ .Values.envoy.prometheus.port }} - } - }, - "filter_chains": [ - { - "filters": [ - { - "name": "envoy.filters.network.http_connection_manager", - "typed_config": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", - "stat_prefix": "envoy-prometheus-metrics-listener", - "route_config": { - "virtual_hosts": [ - { - "name": "prometheus_metrics_route", - "domains": [ - "*" - ], - "routes": [ - { - "name": "prometheus_metrics_route", - "match": { - "prefix": "/metrics" - }, - "route": { - "cluster": "/envoy-admin", - "prefix_rewrite": "/stats/prometheus" - } - } - ] - } - ] - }, - "http_filters": [ - { - "name": "envoy.filters.http.router", - "typed_config": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" - } - } - ], - "internal_address_config": { - "cidr_ranges": [ - { - "address_prefix": "10.0.0.0", - "prefix_len": 8 - }, - { - "address_prefix": "172.16.0.0", - "prefix_len": 12 - }, - { - "address_prefix": "192.168.0.0", - "prefix_len": 16 - }, - { - "address_prefix": "127.0.0.1", - "prefix_len": 32 - }, - { - "address_prefix": "::1", - "prefix_len": 128 - } - ] - }, - "stream_idle_timeout": "0s" - } - } - ] - } - ] - }, - {{- end }} - {{- if and .Values.envoy.debug.admin.enabled }} - { - "name": "envoy-admin-listener", - "address": { - "socket_address": { - "address": {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}, - "port_value": {{ .Values.envoy.debug.admin.port }} - } - }, - {{- if and .Values.ipv4.enabled .Values.ipv6.enabled }} - "additional_addresses": [ - { - "address": { - "socket_address": { - "address": "::1", - "port_value": {{ .Values.envoy.debug.admin.port }} - } - } - } - ], - {{- end }} - "filter_chains": [ - { - "filters": [ - { - "name": "envoy.filters.network.http_connection_manager", - "typed_config": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", - "stat_prefix": "envoy-admin-listener", - "route_config": { - "virtual_hosts": [ - { - "name": "admin_route", - "domains": [ - "*" - ], - "routes": [ - { - "name": "admin_route", - "match": { - "prefix": "/" - }, - "route": { - "cluster": "/envoy-admin", - "prefix_rewrite": "/" - } - } - ] - } - ] - }, - "http_filters": [ - { - "name": "envoy.filters.http.router", - "typed_config": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" - } - } - ], - "internal_address_config": { - "cidr_ranges": [ - { - "address_prefix": "10.0.0.0", - "prefix_len": 8 - }, - { - "address_prefix": "172.16.0.0", - "prefix_len": 12 - }, - { - "address_prefix": "192.168.0.0", - "prefix_len": 16 - }, - { - "address_prefix": "127.0.0.1", - "prefix_len": 32 - }, - { - "address_prefix": "::1", - "prefix_len": 128 - } - ] - }, - "stream_idle_timeout": "0s" - } - } - ] - } - ] - }, - {{- end }} - { - "name": "envoy-health-listener", - "address": { - "socket_address": { - "address": {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}, - "port_value": {{ .Values.envoy.healthPort }} - } - }, - {{- if and .Values.ipv4.enabled .Values.ipv6.enabled }} - "additional_addresses": [ - { - "address": { - "socket_address": { - "address": "::1", - "port_value": {{ .Values.envoy.healthPort }} - } - } - } - ], - {{- end }} - "filter_chains": [ - { - "filters": [ - { - "name": "envoy.filters.network.http_connection_manager", - "typed_config": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", - "stat_prefix": "envoy-health-listener", - "route_config": { - "virtual_hosts": [ - { - "name": "health", - "domains": [ - "*" - ], - "routes": [ - { - "name": "health", - "match": { - "prefix": "/healthz" - }, - "route": { - "cluster": "/envoy-admin", - "prefix_rewrite": "/ready" - } - } - ] - } - ] - }, - "http_filters": [ - { - "name": "envoy.filters.http.router", - "typed_config": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" - } - } - ], - "internal_address_config": { - "cidr_ranges": [ - { - "address_prefix": "10.0.0.0", - "prefix_len": 8 - }, - { - "address_prefix": "172.16.0.0", - "prefix_len": 12 - }, - { - "address_prefix": "192.168.0.0", - "prefix_len": 16 - }, - { - "address_prefix": "127.0.0.1", - "prefix_len": 32 - }, - { - "address_prefix": "::1", - "prefix_len": 128 - } - ] - }, - "stream_idle_timeout": "0s" - } - } - ] - } - ] - } - ], - "clusters": [ - { - "name": "ingress-cluster", - "type": "ORIGINAL_DST", - "connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s", - "lbPolicy": "CLUSTER_PROVIDED", - "typedExtensionProtocolOptions": { - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", - "commonHttpProtocolOptions": { - "idleTimeout": "{{ .Values.envoy.idleTimeoutDurationSeconds }}s", - "maxConnectionDuration": "{{ .Values.envoy.maxConnectionDurationSeconds }}s", - "maxRequestsPerConnection": {{ .Values.envoy.maxRequestsPerConnection }} - }, - "useDownstreamProtocolConfig": {} - } - }, - "cleanupInterval": "{{ .Values.envoy.connectTimeoutSeconds }}.500s" - }, - { - "name": "egress-cluster-tls", - "type": "ORIGINAL_DST", - "connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s", - "lbPolicy": "CLUSTER_PROVIDED", - "typedExtensionProtocolOptions": { - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", - "commonHttpProtocolOptions": { - "idleTimeout": "{{ .Values.envoy.idleTimeoutDurationSeconds }}s", - "maxConnectionDuration": "{{ .Values.envoy.maxConnectionDurationSeconds }}s", - "maxRequestsPerConnection": {{ .Values.envoy.maxRequestsPerConnection }} - }, - "upstreamHttpProtocolOptions": {}, - "useDownstreamProtocolConfig": {} - } - }, - "cleanupInterval": "{{ .Values.envoy.connectTimeoutSeconds }}.500s", - "transportSocket": { - "name": "cilium.tls_wrapper", - "typedConfig": { - "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext" - } - } - }, - { - "name": "egress-cluster", - "type": "ORIGINAL_DST", - "connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s", - "lbPolicy": "CLUSTER_PROVIDED", - "typedExtensionProtocolOptions": { - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", - "commonHttpProtocolOptions": { - "idleTimeout": "{{ .Values.envoy.idleTimeoutDurationSeconds }}s", - "maxConnectionDuration": "{{ .Values.envoy.maxConnectionDurationSeconds }}s", - "maxRequestsPerConnection": {{ .Values.envoy.maxRequestsPerConnection }} - }, - "useDownstreamProtocolConfig": {} - } - }, - "cleanupInterval": "{{ .Values.envoy.connectTimeoutSeconds }}.500s" - }, - { - "name": "ingress-cluster-tls", - "type": "ORIGINAL_DST", - "connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s", - "lbPolicy": "CLUSTER_PROVIDED", - "typedExtensionProtocolOptions": { - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", - "commonHttpProtocolOptions": { - "idleTimeout": "{{ .Values.envoy.idleTimeoutDurationSeconds }}s", - "maxConnectionDuration": "{{ .Values.envoy.maxConnectionDurationSeconds }}s", - "maxRequestsPerConnection": {{ .Values.envoy.maxRequestsPerConnection }} - }, - "upstreamHttpProtocolOptions": {}, - "useDownstreamProtocolConfig": {} - } - }, - "cleanupInterval": "{{ .Values.envoy.connectTimeoutSeconds }}.500s", - "transportSocket": { - "name": "cilium.tls_wrapper", - "typedConfig": { - "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext" - } - } - }, - { - "name": "xds-grpc-cilium", - "type": "STATIC", - "connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s", - "loadAssignment": { - "clusterName": "xds-grpc-cilium", - "endpoints": [ - { - "lbEndpoints": [ - { - "endpoint": { - "address": { - "pipe": { - "path": "/var/run/cilium/envoy/sockets/xds.sock" - } - } - } - } - ] - } - ] - }, - "typedExtensionProtocolOptions": { - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", - "explicitHttpConfig": { - "http2ProtocolOptions": {} - } - } - } - }, - { - "name": "/envoy-admin", - "type": "STATIC", - "connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s", - "loadAssignment": { - "clusterName": "/envoy-admin", - "endpoints": [ - { - "lbEndpoints": [ - { - "endpoint": { - "address": { - "pipe": { - "path": "/var/run/cilium/envoy/sockets/admin.sock" - } - } - } - } - ] - } - ] - } - } - ] - }, - "dynamicResources": { - "ldsConfig": { - "initialFetchTimeout": "{{ .Values.envoy.initialFetchTimeoutSeconds }}s", - "apiConfigSource": { - "apiType": "GRPC", - "transportApiVersion": "V3", - "grpcServices": [ - { - "envoyGrpc": { - "clusterName": "xds-grpc-cilium" - } - } - ], - "setNodeOnFirstMessageOnly": true - }, - "resourceApiVersion": "V3" - }, - "cdsConfig": { - "initialFetchTimeout": "{{ .Values.envoy.initialFetchTimeoutSeconds }}s", - "apiConfigSource": { - "apiType": "GRPC", - "transportApiVersion": "V3", - "grpcServices": [ - { - "envoyGrpc": { - "clusterName": "xds-grpc-cilium" - } - } - ], - "setNodeOnFirstMessageOnly": true - }, - "resourceApiVersion": "V3" - } - }, - "bootstrapExtensions": [ - { - "name": "envoy.bootstrap.internal_listener", - "typed_config": { - "@type": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener" - } - } - ], - "overload_manager": { - "resource_monitors": [ - { - "name": "envoy.resource_monitors.global_downstream_max_connections", - "typed_config": { - "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig", - "max_active_downstream_connections": "50000" - } - } - ] - }, - "admin": { - "address": { - "pipe": { - "path": "/var/run/cilium/envoy/sockets/admin.sock" - } - } - } -} diff --git a/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml b/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml new file mode 100644 index 00000000..857529bf --- /dev/null +++ b/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml @@ -0,0 +1,280 @@ +node: + id: "host~127.0.0.1~no-id~localdomain" + cluster: "ingress-cluster" +staticResources: + listeners: + {{- if .Values.envoy.prometheus.enabled }} + - name: "envoy-prometheus-metrics-listener" + address: + socketAddress: + address: "0.0.0.0" + portValue: {{ .Values.envoy.prometheus.port }} + filterChains: + - filters: + - name: "envoy.filters.network.http_connection_manager" + typedConfig: + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager" + statPrefix: "envoy-prometheus-metrics-listener" + routeConfig: + virtualHosts: + - name: "prometheus_metrics_route" + domains: + - "*" + routes: + - name: "prometheus_metrics_route" + match: + prefix: "/metrics" + route: + cluster: "/envoy-admin" + prefixRewrite: "/stats/prometheus" + httpFilters: + - name: "envoy.filters.http.router" + typedConfig: + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + internalAddressConfig: + cidrRanges: + {{- if .Values.ipv4.enabled }} + - addressPrefix: "10.0.0.0" + prefixLen: 8 + - addressPrefix: "172.16.0.0" + prefixLen: 12 + - addressPrefix: "192.168.0.0" + prefixLen: 16 + - addressPrefix: "127.0.0.1" + prefixLen: 32 + {{- end }} + {{- if .Values.ipv6.enabled }} + - addressPrefix: "::1" + prefixLen: 128 + {{- end }} + streamIdleTimeout: "0s" + {{- end }} + {{- if and .Values.envoy.debug.admin.enabled }} + - name: "envoy-admin-listener" + address: + socketAddress: + address: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }} + portValue: {{ .Values.envoy.debug.admin.port }} + {{- if and .Values.ipv4.enabled .Values.ipv6.enabled }} + additionalAddresses: + - address: + socketAddress: + address: "::1" + portValue: {{ .Values.envoy.debug.admin.port }} + {{- end }} + filterChains: + - filters: + - name: "envoy.filters.network.http_connection_manager" + typedConfig: + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager" + statPrefix: "envoy-admin-listener" + routeConfig: + virtual_hosts: + - name: "admin_route" + domains: + - "*" + routes: + - name: "admin_route" + match: + prefix: "/" + route: + cluster: "/envoy-admin" + prefixRewrite: "/" + httpFilters: + - name: "envoy.filters.http.router" + typedConfig: + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + internalAddressConfig: + cidrRanges: + {{- if .Values.ipv4.enabled }} + - addressPrefix: "10.0.0.0" + prefixLen: 8 + - addressPrefix: "172.16.0.0" + prefixLen: 12 + - addressPrefix: "192.168.0.0" + prefixLen: 16 + - addressPrefix: "127.0.0.1" + prefixLen: 32 + {{- end }} + {{- if .Values.ipv6.enabled }} + - addressPrefix: "::1" + prefixLen: 128 + {{- end }} + streamIdleTimeout: "0s" + {{- end }} + - name: "envoy-health-listener" + address: + socketAddress: + address: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }} + portValue: {{ .Values.envoy.healthPort }} + {{- if and .Values.ipv4.enabled .Values.ipv6.enabled }} + additionalAddresses: + - address: + socketAddress: + address: "::1" + portValue: {{ .Values.envoy.healthPort }} + {{- end }} + filterChains: + - filters: + - name: "envoy.filters.network.http_connection_manager" + typedConfig: + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager" + statPrefix: "envoy-health-listener" + routeConfig: + virtual_hosts: + - name: "health" + domains: + - "*" + routes: + - name: "health" + match: + prefix: "/healthz" + route: + cluster: "/envoy-admin" + prefixRewrite: "/ready" + httpFilters: + - name: "envoy.filters.http.router" + typedConfig: + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + internalAddressConfig: + cidrRanges: + {{- if .Values.ipv4.enabled }} + - addressPrefix: "10.0.0.0" + prefixLen: 8 + - addressPrefix: "172.16.0.0" + prefixLen: 12 + - addressPrefix: "192.168.0.0" + prefixLen: 16 + - addressPrefix: "127.0.0.1" + prefixLen: 32 + {{- end }} + {{- if .Values.ipv6.enabled }} + - addressPrefix: "::1" + prefixLen: 128 + {{- end }} + streamIdleTimeout: "0s" + clusters: + - name: "ingress-cluster" + type: "ORIGINAL_DST" + connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s" + lbPolicy: "CLUSTER_PROVIDED" + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + commonHttpProtocolOptions: + idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s" + maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s" + maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }} + useDownstreamProtocolConfig: {} + cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s" + - name: "egress-cluster-tls" + type: "ORIGINAL_DST" + connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s" + lbPolicy: "CLUSTER_PROVIDED" + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + commonHttpProtocolOptions: + idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s" + maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s" + maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }} + upstreamHttpProtocolOptions: {} + useDownstreamProtocolConfig: {} + cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s" + transportSocket: + name: "cilium.tls_wrapper" + typedConfig: + "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext" + - name: "egress-cluster" + type: "ORIGINAL_DST" + connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s" + lbPolicy: "CLUSTER_PROVIDED" + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + commonHttpProtocolOptions: + idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s" + maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s" + maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }} + useDownstreamProtocolConfig: {} + cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s" + - name: "ingress-cluster-tls" + type: "ORIGINAL_DST" + connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s" + lbPolicy: "CLUSTER_PROVIDED" + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + commonHttpProtocolOptions: + idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s" + maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s" + maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }} + upstreamHttpProtocolOptions: {} + useDownstreamProtocolConfig: {} + cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s" + transportSocket: + name: "cilium.tls_wrapper" + typedConfig: + "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext" + - name: "xds-grpc-cilium" + type: "STATIC" + connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s" + loadAssignment: + clusterName: "xds-grpc-cilium" + endpoints: + - lbEndpoints: + - endpoint: + address: + pipe: + path: "/var/run/cilium/envoy/sockets/xds.sock" + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + explicitHttpConfig: + http2ProtocolOptions: {} + - name: "/envoy-admin" + type: "STATIC" + connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s" + loadAssignment: + clusterName: "/envoy-admin" + endpoints: + - lbEndpoints: + - endpoint: + address: + pipe: + path: "/var/run/cilium/envoy/sockets/admin.sock" +dynamicResources: + ldsConfig: + initialFetchTimeout: "{{ .Values.envoy.initialFetchTimeoutSeconds }}s" + apiConfigSource: + apiType: "GRPC" + transportApiVersion: "V3" + grpcServices: + - envoyGrpc: + clusterName: "xds-grpc-cilium" + setNodeOnFirstMessageOnly: true + resourceApiVersion: "V3" + cdsConfig: + initialFetchTimeout: "{{ .Values.envoy.initialFetchTimeoutSeconds }}s" + apiConfigSource: + apiType: "GRPC" + transportApiVersion: "V3" + grpcServices: + - envoyGrpc: + clusterName: "xds-grpc-cilium" + setNodeOnFirstMessageOnly: true + resourceApiVersion: "V3" +bootstrapExtensions: +- name: "envoy.bootstrap.internal_listener" + typedConfig: + "@type": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener" +overloadManager: + resourceMonitors: + - name: "envoy.resource_monitors.global_downstream_max_connections" + typedConfig: + "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig" + max_active_downstream_connections: "50000" +admin: + address: + pipe: + path: "/var/run/cilium/envoy/sockets/admin.sock" diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml index a78edbdc..27498c50 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml @@ -315,13 +315,9 @@ spec: {{- end}} - name: cilium-run mountPath: /var/run/cilium - {{- /* mount the directory if socketLB.enabled is true and socketLB.terminatePodConnections is not explicitly set to false */ -}} - {{- if or (and (kindIs "invalid" .Values.socketLB.terminatePodConnections) .Values.socketLB.enabled) - (and .Values.socketLB.enabled .Values.socketLB.terminatePodConnections) }} - name: cilium-netns mountPath: /var/run/cilium/netns mountPropagation: HostToContainer - {{- end}} - name: etc-cni-netd mountPath: {{ .Values.cni.hostConfDirMountPath }} {{- if .Values.etcd.enabled }} @@ -797,14 +793,11 @@ spec: hostPath: path: {{ .Values.daemon.runPath }} type: DirectoryOrCreate - {{- if or (and (kindIs "invalid" .Values.socketLB.terminatePodConnections) .Values.socketLB.enabled) - (and .Values.socketLB.enabled .Values.socketLB.terminatePodConnections) }} # To exec into pod network namespaces - name: cilium-netns hostPath: path: /var/run/netns type: DirectoryOrCreate - {{- end }} {{- if .Values.bpf.autoMount.enabled }} # To keep state between restarts / upgrades for bpf maps - name: bpf-maps diff --git a/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml b/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml index 761f36f8..53946cab 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml @@ -513,10 +513,10 @@ data: subnet-ids-filter: {{ .Values.eni.subnetIDsFilter | join " " | quote }} {{- end }} {{- if .Values.eni.subnetTagsFilter }} - subnet-tags-filter: {{ .Values.eni.subnetTagsFilter | join " " | quote }} + subnet-tags-filter: {{ .Values.eni.subnetTagsFilter | join "," | quote }} {{- end }} {{- if .Values.eni.instanceTagsFilter }} - instance-tags-filter: {{ .Values.eni.instanceTagsFilter | join " " | quote }} + instance-tags-filter: {{ .Values.eni.instanceTagsFilter | join "," | quote }} {{- end }} {{- end }} {{ if .Values.eni.gcInterval }} @@ -718,8 +718,6 @@ data: {{- end }} {{- if hasKey $socketLB "terminatePodConnections" }} bpf-lb-sock-terminate-pod-connections: {{ $socketLB.terminatePodConnections | quote }} -{{- else if hasKey $socketLB "enabled" }} - bpf-lb-sock-terminate-pod-connections: {{ $socketLB.enabled | quote }} {{- end }} {{- if hasKey $socketLB "tracing" }} trace-sock: {{ $socketLB.tracing | quote }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml b/packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml index 33c5a833..084077a4 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml @@ -12,6 +12,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} data: -{{- (tpl (.Files.Glob "files/cilium-envoy/configmap/bootstrap-config.json").AsConfig .) | nindent 2 }} - + # Keep the key name as bootstrap-config.json to avoid breaking changes + bootstrap-config.json: | + {{- (tpl (.Files.Get "files/cilium-envoy/configmap/bootstrap-config.yaml") .) | fromYaml | toJson | nindent 4 }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/_nginx.tpl b/packages/system/cilium/charts/cilium/templates/hubble-ui/_nginx.tpl index e787b5aa..5d3d0a80 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/_nginx.tpl +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/_nginx.tpl @@ -13,24 +13,12 @@ server { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; - # CORS - add_header Access-Control-Allow-Methods "GET, POST, PUT, HEAD, DELETE, OPTIONS"; - add_header Access-Control-Allow-Origin *; - add_header Access-Control-Max-Age 1728000; - add_header Access-Control-Expose-Headers content-length,grpc-status,grpc-message; - add_header Access-Control-Allow-Headers range,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout; - if ($request_method = OPTIONS) { - return 204; - } - # /CORS - location {{ .Values.hubble.ui.baseUrl }}api { {{- if not (eq .Values.hubble.ui.baseUrl "/") }} rewrite ^{{ (trimSuffix "/" .Values.hubble.ui.baseUrl) }}(/.*)$ $1 break; {{- end }} proxy_http_version 1.1; proxy_pass_request_headers on; - proxy_hide_header Access-Control-Allow-Origin; {{- if eq .Values.hubble.ui.baseUrl "/" }} proxy_pass http://127.0.0.1:8090; {{- else }} diff --git a/packages/system/cilium/charts/cilium/values.yaml b/packages/system/cilium/charts/cilium/values.yaml index 9e1f4715..cc666fbc 100644 --- a/packages/system/cilium/charts/cilium/values.yaml +++ b/packages/system/cilium/charts/cilium/values.yaml @@ -153,10 +153,10 @@ image: # @schema override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.16.5" + tag: "v1.16.6" pullPolicy: "IfNotPresent" # cilium-digest - digest: "sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d" + digest: "sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da" useDigest: true # -- Affinity for cilium-agent. affinity: @@ -1314,9 +1314,9 @@ hubble: # @schema override: ~ repository: "quay.io/cilium/hubble-relay" - tag: "v1.16.5" + tag: "v1.16.6" # hubble-relay-digest - digest: "sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00" + digest: "sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b" useDigest: true pullPolicy: "IfNotPresent" # -- Specifies the resources for the hubble-relay pods @@ -2165,9 +2165,9 @@ envoy: # @schema override: ~ repository: "quay.io/cilium/cilium-envoy" - tag: "v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8" + tag: "v1.30.9-1737073743-40a016d11c0d863b772961ed0168eea6fe6b10a5" pullPolicy: "IfNotPresent" - digest: "sha256:709c08ade3d17d52da4ca2af33f431360ec26268d288d9a6cd1d98acc9a1dced" + digest: "sha256:a69dfe0e54b24b0ff747385c8feeae0612cfbcae97bfcc8ee42a773bb3f69c88" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. extraContainers: [] @@ -2480,15 +2480,15 @@ operator: # @schema override: ~ repository: "quay.io/cilium/operator" - tag: "v1.16.5" + tag: "v1.16.6" # operator-generic-digest - genericDigest: "sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039" + genericDigest: "sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc" # operator-azure-digest - azureDigest: "sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9" + azureDigest: "sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd" # operator-aws-digest - awsDigest: "sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476" + awsDigest: "sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d" # operator-alibabacloud-digest - alibabacloudDigest: "sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0" + alibabacloudDigest: "sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9" useDigest: true pullPolicy: "IfNotPresent" suffix: "" @@ -2762,9 +2762,9 @@ preflight: # @schema override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.16.5" + tag: "v1.16.6" # cilium-digest - digest: "sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d" + digest: "sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da" useDigest: true pullPolicy: "IfNotPresent" # -- The priority class to use for the preflight pod. @@ -2911,9 +2911,9 @@ clustermesh: # @schema override: ~ repository: "quay.io/cilium/clustermesh-apiserver" - tag: "v1.16.5" + tag: "v1.16.6" # clustermesh-apiserver-digest - digest: "sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958" + digest: "sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a" useDigest: true pullPolicy: "IfNotPresent" # -- TCP port for the clustermesh-apiserver health API. @@ -3412,7 +3412,7 @@ authentication: override: ~ repository: "docker.io/library/busybox" tag: "1.36.1" - digest: "sha256:d75b758a4fea99ffff4db799e16f853bbde8643671b5b72464a8ba94cbe3dbe3" + digest: "sha256:71b79694b71639e633452f57fd9de40595d524de308349218d9a6a144b40be02" useDigest: true pullPolicy: "IfNotPresent" # SPIRE agent configuration diff --git a/packages/system/cilium/images/cilium/Dockerfile b/packages/system/cilium/images/cilium/Dockerfile index 724699b4..99975a73 100644 --- a/packages/system/cilium/images/cilium/Dockerfile +++ b/packages/system/cilium/images/cilium/Dockerfile @@ -1,2 +1,2 @@ -ARG VERSION=v1.16.5 +ARG VERSION=v1.16.6 FROM quay.io/cilium/cilium:${VERSION} From f768dc1632f87438c8851ea74cc241bdbe638029 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Fri, 7 Feb 2025 08:40:49 +0100 Subject: [PATCH 2/7] Introduce externalMethod=WholeIP for VMs (#616) Signed-off-by: Andrei Kvapil ## Summary by CodeRabbit - **New Features** - Introduced a new configuration option for specifying the method to handle external traffic. Users can now choose between "WholeIP" and "PortList" (default) across virtual machine and instance deployments. - Service settings now adjust automatically based on the selected external traffic method. - **Documentation** - Updated configuration guides to include details on the new `externalMethod` parameter and its usage for managing external traffic. --------- Signed-off-by: Andrei Kvapil --- packages/apps/versions_map | 6 +++-- packages/apps/virtual-machine/Chart.yaml | 4 +-- packages/apps/virtual-machine/Makefile | 1 + packages/apps/virtual-machine/README.md | 1 + .../virtual-machine/templates/service.yaml | 8 ++++++ .../apps/virtual-machine/values.schema.json | 9 +++++++ packages/apps/virtual-machine/values.yaml | 2 ++ packages/apps/vm-instance/Chart.yaml | 4 +-- packages/apps/vm-instance/Makefile | 1 + packages/apps/vm-instance/README.md | 25 ++++++++++--------- .../apps/vm-instance/templates/service.yaml | 8 ++++++ packages/apps/vm-instance/values.schema.json | 9 +++++++ packages/apps/vm-instance/values.yaml | 2 ++ 13 files changed, 62 insertions(+), 18 deletions(-) diff --git a/packages/apps/versions_map b/packages/apps/versions_map index ece42d41..e9e597cc 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -109,13 +109,15 @@ virtual-machine 0.4.0 4746d51 virtual-machine 0.5.0 cad9cde virtual-machine 0.6.0 0e728870 virtual-machine 0.7.0 af58018a -virtual-machine 0.7.1 HEAD +virtual-machine 0.7.1 05857b95 +virtual-machine 0.8.0 HEAD vm-disk 0.1.0 HEAD vm-instance 0.1.0 ced8e5b9 vm-instance 0.2.0 4f767ee3 vm-instance 0.3.0 0e728870 vm-instance 0.4.0 af58018a -vm-instance 0.4.1 HEAD +vm-instance 0.4.1 05857b95 +vm-instance 0.5.0 HEAD vpn 0.1.0 f642698 vpn 0.2.0 7151424 vpn 0.3.0 a2bcf100 diff --git a/packages/apps/virtual-machine/Chart.yaml b/packages/apps/virtual-machine/Chart.yaml index 5ac2d8fe..859719e2 100644 --- a/packages/apps/virtual-machine/Chart.yaml +++ b/packages/apps/virtual-machine/Chart.yaml @@ -17,10 +17,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.7.1 +version: 0.8.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.7.1" +appVersion: "0.8.0" diff --git a/packages/apps/virtual-machine/Makefile b/packages/apps/virtual-machine/Makefile index 31ae2f19..e1bc3a91 100644 --- a/packages/apps/virtual-machine/Makefile +++ b/packages/apps/virtual-machine/Makefile @@ -8,3 +8,4 @@ generate: && yq -i -o json ".properties.instanceProfile.optional=true | .properties.instanceProfile.enum = $${PREFERENCES}" values.schema.json yq -i -o json '.properties.externalPorts.items.type = "integer"' values.schema.json yq -i -o json '.properties.systemDisk.properties.image.enum = ["ubuntu", "cirros", "alpine", "fedora", "talos"]' values.schema.json + yq -i -o json '.properties.externalMethod.enum = ["wholeIP", "PortList"]' values.schema.json diff --git a/packages/apps/virtual-machine/README.md b/packages/apps/virtual-machine/README.md index 90bf3dc4..29b22401 100644 --- a/packages/apps/virtual-machine/README.md +++ b/packages/apps/virtual-machine/README.md @@ -39,6 +39,7 @@ virtctl ssh @ | Name | Description | Value | | ------------------------- | ---------------------------------------------------------------------------------------------------------- | ---------------- | | `external` | Enable external access from outside the cluster | `false` | +| `externalMethod` | specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList` | `WholeIP` | | `externalPorts` | Specify ports to forward from outside the cluster | `[]` | | `running` | Determines if the virtual machine should be running | `true` | | `instanceType` | Virtual Machine instance type | `u1.medium` | diff --git a/packages/apps/virtual-machine/templates/service.yaml b/packages/apps/virtual-machine/templates/service.yaml index 9c1dc2aa..eed8dbad 100644 --- a/packages/apps/virtual-machine/templates/service.yaml +++ b/packages/apps/virtual-machine/templates/service.yaml @@ -6,6 +6,10 @@ metadata: name: {{ include "virtual-machine.fullname" . }} labels: {{- include "virtual-machine.labels" . | nindent 4 }} + {{- if eq .Values.externalMethod "WholeIP" }} + annotations: + networking.cozystack.io/wholeIP: "true" + {{- end }} spec: type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }} externalTrafficPolicy: Local @@ -13,9 +17,13 @@ spec: selector: {{- include "virtual-machine.labels" . | nindent 4 }} ports: + {{- if eq .Values.externalMethod "WholeIP" }} + - port: 65535 + {{- else }} {{- range .Values.externalPorts }} - name: port-{{ . }} port: {{ . }} targetPort: {{ . }} {{- end }} + {{- end }} {{- end }} diff --git a/packages/apps/virtual-machine/values.schema.json b/packages/apps/virtual-machine/values.schema.json index 1192b2d8..d2c53544 100644 --- a/packages/apps/virtual-machine/values.schema.json +++ b/packages/apps/virtual-machine/values.schema.json @@ -7,6 +7,15 @@ "description": "Enable external access from outside the cluster", "default": false }, + "externalMethod": { + "type": "string", + "description": "specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList`", + "default": "WholeIP", + "enum": [ + "wholeIP", + "PortList" + ] + }, "externalPorts": { "type": "array", "description": "Specify ports to forward from outside the cluster", diff --git a/packages/apps/virtual-machine/values.yaml b/packages/apps/virtual-machine/values.yaml index f1b0300e..0d651378 100644 --- a/packages/apps/virtual-machine/values.yaml +++ b/packages/apps/virtual-machine/values.yaml @@ -1,8 +1,10 @@ ## @section Common parameters ## @param external Enable external access from outside the cluster +## @param externalMethod specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList` ## @param externalPorts [array] Specify ports to forward from outside the cluster external: false +externalMethod: WholeIP externalPorts: - 22 diff --git a/packages/apps/vm-instance/Chart.yaml b/packages/apps/vm-instance/Chart.yaml index b6fbce6e..f5f697a3 100644 --- a/packages/apps/vm-instance/Chart.yaml +++ b/packages/apps/vm-instance/Chart.yaml @@ -17,10 +17,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.4.1 +version: 0.5.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.4.1" +appVersion: "0.5.0" diff --git a/packages/apps/vm-instance/Makefile b/packages/apps/vm-instance/Makefile index f6e91ba7..a9aee79c 100644 --- a/packages/apps/vm-instance/Makefile +++ b/packages/apps/vm-instance/Makefile @@ -8,3 +8,4 @@ generate: PREFERENCES=$$(yq e '.metadata.name' -o=json -r ../../system/kubevirt-instancetypes/templates/preferences.yaml | yq 'split(" ") | . + [""]' -o json) \ && yq -i -o json ".properties.instanceProfile.optional=true | .properties.instanceProfile.enum = $${PREFERENCES}" values.schema.json yq -i -o json '.properties.externalPorts.items.type = "integer"' values.schema.json + yq -i -o json '.properties.externalMethod.enum = ["WholeIP", "PortList"]' values.schema.json diff --git a/packages/apps/vm-instance/README.md b/packages/apps/vm-instance/README.md index acd14b87..53d9f614 100644 --- a/packages/apps/vm-instance/README.md +++ b/packages/apps/vm-instance/README.md @@ -36,18 +36,19 @@ virtctl ssh @ ### Common parameters -| Name | Description | Value | -| ------------------ | ---------------------------------------------------------------------------------- | ---------------- | -| `external` | Enable external access from outside the cluster | `false` | -| `externalPorts` | Specify ports to forward from outside the cluster | `[]` | -| `running` | Determines if the virtual machine should be running | `true` | -| `instanceType` | Virtual Machine instance type | `u1.medium` | -| `instanceProfile` | Virtual Machine prefferences profile | `ubuntu` | -| `disks` | List of disks to attach | `[]` | -| `resources.cpu` | The number of CPU cores allocated to the virtual machine | `""` | -| `resources.memory` | The amount of memory allocated to the virtual machine | `""` | -| `sshKeys` | List of SSH public keys for authentication. Can be a single key or a list of keys. | `[]` | -| `cloudInit` | cloud-init user data config. See cloud-init documentation for more details. | `#cloud-config +| Name | Description | Value | +| ------------------ | ---------------------------------------------------------------------------------------------------------- | ---------------- | +| `external` | Enable external access from outside the cluster | `false` | +| `externalMethod` | specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList` | `WholeIP` | +| `externalPorts` | Specify ports to forward from outside the cluster | `[]` | +| `running` | Determines if the virtual machine should be running | `true` | +| `instanceType` | Virtual Machine instance type | `u1.medium` | +| `instanceProfile` | Virtual Machine prefferences profile | `ubuntu` | +| `disks` | List of disks to attach | `[]` | +| `resources.cpu` | The number of CPU cores allocated to the virtual machine | `""` | +| `resources.memory` | The amount of memory allocated to the virtual machine | `""` | +| `sshKeys` | List of SSH public keys for authentication. Can be a single key or a list of keys. | `[]` | +| `cloudInit` | cloud-init user data config. See cloud-init documentation for more details. | `#cloud-config ` | ## U Series diff --git a/packages/apps/vm-instance/templates/service.yaml b/packages/apps/vm-instance/templates/service.yaml index 9c1dc2aa..eed8dbad 100644 --- a/packages/apps/vm-instance/templates/service.yaml +++ b/packages/apps/vm-instance/templates/service.yaml @@ -6,6 +6,10 @@ metadata: name: {{ include "virtual-machine.fullname" . }} labels: {{- include "virtual-machine.labels" . | nindent 4 }} + {{- if eq .Values.externalMethod "WholeIP" }} + annotations: + networking.cozystack.io/wholeIP: "true" + {{- end }} spec: type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }} externalTrafficPolicy: Local @@ -13,9 +17,13 @@ spec: selector: {{- include "virtual-machine.labels" . | nindent 4 }} ports: + {{- if eq .Values.externalMethod "WholeIP" }} + - port: 65535 + {{- else }} {{- range .Values.externalPorts }} - name: port-{{ . }} port: {{ . }} targetPort: {{ . }} {{- end }} + {{- end }} {{- end }} diff --git a/packages/apps/vm-instance/values.schema.json b/packages/apps/vm-instance/values.schema.json index 6ef0c40d..40560861 100644 --- a/packages/apps/vm-instance/values.schema.json +++ b/packages/apps/vm-instance/values.schema.json @@ -7,6 +7,15 @@ "description": "Enable external access from outside the cluster", "default": false }, + "externalMethod": { + "type": "string", + "description": "specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList`", + "default": "WholeIP", + "enum": [ + "WholeIP", + "PortList" + ] + }, "externalPorts": { "type": "array", "description": "Specify ports to forward from outside the cluster", diff --git a/packages/apps/vm-instance/values.yaml b/packages/apps/vm-instance/values.yaml index b7e2f83c..418ba7e8 100644 --- a/packages/apps/vm-instance/values.yaml +++ b/packages/apps/vm-instance/values.yaml @@ -1,8 +1,10 @@ ## @section Common parameters ## @param external Enable external access from outside the cluster +## @param externalMethod specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList` ## @param externalPorts [array] Specify ports to forward from outside the cluster external: false +externalMethod: WholeIP externalPorts: - 22 From 5f406851613f19b6bb1a677e3fa6417b84138ce1 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Fri, 7 Feb 2025 13:53:56 +0100 Subject: [PATCH 3/7] fix: running=false for the VMs (#621) ## Summary by CodeRabbit - **Chores** - Revised Virtual Machine configuration to require explicit confirmation for the running state. The system no longer auto-activates instances by default, giving users more direct control over instance activation. Existing validations continue to ensure that only valid configurations are applied, resulting in a more reliable deployment process. --- packages/apps/vm-instance/templates/vm.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/apps/vm-instance/templates/vm.yaml b/packages/apps/vm-instance/templates/vm.yaml index eb6ec94b..843ae221 100644 --- a/packages/apps/vm-instance/templates/vm.yaml +++ b/packages/apps/vm-instance/templates/vm.yaml @@ -12,7 +12,7 @@ metadata: labels: {{- include "virtual-machine.labels" . | nindent 4 }} spec: - running: {{ .Values.running | default "true" }} + running: {{ .Values.running }} {{- with .Values.instanceType }} instancetype: kind: VirtualMachineClusterInstancetype From bf68404c53a619ec02823d2878698b053193cbba Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Fri, 7 Feb 2025 14:47:45 +0100 Subject: [PATCH 4/7] Update Talos v1.9.3 (#617) ## Summary by CodeRabbit - **Chores** - Upgraded the core installer and related system images from version v1.9.2 to v1.9.3. - Refreshed firmware and driver references for improved consistency across all installation profiles. --- packages/core/builder/values.yaml | 2 +- .../images/talos/profiles/initramfs.yaml | 16 ++++++++-------- .../images/talos/profiles/installer.yaml | 16 ++++++++-------- .../installer/images/talos/profiles/iso.yaml | 16 ++++++++-------- .../installer/images/talos/profiles/kernel.yaml | 16 ++++++++-------- .../installer/images/talos/profiles/metal.yaml | 16 ++++++++-------- .../installer/images/talos/profiles/nocloud.yaml | 16 ++++++++-------- 7 files changed, 49 insertions(+), 49 deletions(-) diff --git a/packages/core/builder/values.yaml b/packages/core/builder/values.yaml index 2dbbe11a..fb061354 100755 --- a/packages/core/builder/values.yaml +++ b/packages/core/builder/values.yaml @@ -1,3 +1,3 @@ talos: imager: - image: ghcr.io/siderolabs/imager:v1.9.2 + image: ghcr.io/siderolabs/imager:v1.9.3 diff --git a/packages/core/installer/images/talos/profiles/initramfs.yaml b/packages/core/installer/images/talos/profiles/initramfs.yaml index 9993ba57..790dca83 100644 --- a/packages/core/installer/images/talos/profiles/initramfs.yaml +++ b/packages/core/installer/images/talos/profiles/initramfs.yaml @@ -3,24 +3,24 @@ arch: amd64 platform: metal secureboot: false -version: v1.9.2 +version: v1.9.3 input: kernel: path: /usr/install/amd64/vmlinuz initramfs: path: /usr/install/amd64/initramfs.xz baseInstaller: - imageRef: ghcr.io/siderolabs/installer:v1.9.2 + imageRef: ghcr.io/siderolabs/installer:v1.9.3 systemExtensions: - - imageRef: ghcr.io/siderolabs/amd-ucode:20241210 + - imageRef: ghcr.io/siderolabs/amd-ucode:20250109 - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110 - - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210 + - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109 - imageRef: ghcr.io/siderolabs/i915-ucode:20241110 - - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210 + - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109 - imageRef: ghcr.io/siderolabs/intel-ucode:20241112 - - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210 - - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2 - - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2 + - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109 + - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.3 + - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.3 output: kind: initramfs imageOptions: {} diff --git a/packages/core/installer/images/talos/profiles/installer.yaml b/packages/core/installer/images/talos/profiles/installer.yaml index e2199ced..1def0f9c 100644 --- a/packages/core/installer/images/talos/profiles/installer.yaml +++ b/packages/core/installer/images/talos/profiles/installer.yaml @@ -3,24 +3,24 @@ arch: amd64 platform: metal secureboot: false -version: v1.9.2 +version: v1.9.3 input: kernel: path: /usr/install/amd64/vmlinuz initramfs: path: /usr/install/amd64/initramfs.xz baseInstaller: - imageRef: ghcr.io/siderolabs/installer:v1.9.2 + imageRef: ghcr.io/siderolabs/installer:v1.9.3 systemExtensions: - - imageRef: ghcr.io/siderolabs/amd-ucode:20241210 + - imageRef: ghcr.io/siderolabs/amd-ucode:20250109 - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110 - - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210 + - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109 - imageRef: ghcr.io/siderolabs/i915-ucode:20241110 - - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210 + - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109 - imageRef: ghcr.io/siderolabs/intel-ucode:20241112 - - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210 - - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2 - - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2 + - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109 + - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.3 + - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.3 output: kind: installer imageOptions: {} diff --git a/packages/core/installer/images/talos/profiles/iso.yaml b/packages/core/installer/images/talos/profiles/iso.yaml index c0314db7..8550ed40 100644 --- a/packages/core/installer/images/talos/profiles/iso.yaml +++ b/packages/core/installer/images/talos/profiles/iso.yaml @@ -3,24 +3,24 @@ arch: amd64 platform: metal secureboot: false -version: v1.9.2 +version: v1.9.3 input: kernel: path: /usr/install/amd64/vmlinuz initramfs: path: /usr/install/amd64/initramfs.xz baseInstaller: - imageRef: ghcr.io/siderolabs/installer:v1.9.2 + imageRef: ghcr.io/siderolabs/installer:v1.9.3 systemExtensions: - - imageRef: ghcr.io/siderolabs/amd-ucode:20241210 + - imageRef: ghcr.io/siderolabs/amd-ucode:20250109 - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110 - - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210 + - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109 - imageRef: ghcr.io/siderolabs/i915-ucode:20241110 - - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210 + - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109 - imageRef: ghcr.io/siderolabs/intel-ucode:20241112 - - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210 - - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2 - - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2 + - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109 + - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.3 + - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.3 output: kind: iso imageOptions: {} diff --git a/packages/core/installer/images/talos/profiles/kernel.yaml b/packages/core/installer/images/talos/profiles/kernel.yaml index 6149be11..9c70334b 100644 --- a/packages/core/installer/images/talos/profiles/kernel.yaml +++ b/packages/core/installer/images/talos/profiles/kernel.yaml @@ -3,24 +3,24 @@ arch: amd64 platform: metal secureboot: false -version: v1.9.2 +version: v1.9.3 input: kernel: path: /usr/install/amd64/vmlinuz initramfs: path: /usr/install/amd64/initramfs.xz baseInstaller: - imageRef: ghcr.io/siderolabs/installer:v1.9.2 + imageRef: ghcr.io/siderolabs/installer:v1.9.3 systemExtensions: - - imageRef: ghcr.io/siderolabs/amd-ucode:20241210 + - imageRef: ghcr.io/siderolabs/amd-ucode:20250109 - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110 - - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210 + - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109 - imageRef: ghcr.io/siderolabs/i915-ucode:20241110 - - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210 + - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109 - imageRef: ghcr.io/siderolabs/intel-ucode:20241112 - - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210 - - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2 - - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2 + - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109 + - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.3 + - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.3 output: kind: kernel imageOptions: {} diff --git a/packages/core/installer/images/talos/profiles/metal.yaml b/packages/core/installer/images/talos/profiles/metal.yaml index 2d201a9f..c32b82b1 100644 --- a/packages/core/installer/images/talos/profiles/metal.yaml +++ b/packages/core/installer/images/talos/profiles/metal.yaml @@ -3,24 +3,24 @@ arch: amd64 platform: metal secureboot: false -version: v1.9.2 +version: v1.9.3 input: kernel: path: /usr/install/amd64/vmlinuz initramfs: path: /usr/install/amd64/initramfs.xz baseInstaller: - imageRef: ghcr.io/siderolabs/installer:v1.9.2 + imageRef: ghcr.io/siderolabs/installer:v1.9.3 systemExtensions: - - imageRef: ghcr.io/siderolabs/amd-ucode:20241210 + - imageRef: ghcr.io/siderolabs/amd-ucode:20250109 - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110 - - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210 + - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109 - imageRef: ghcr.io/siderolabs/i915-ucode:20241110 - - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210 + - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109 - imageRef: ghcr.io/siderolabs/intel-ucode:20241112 - - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210 - - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2 - - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2 + - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109 + - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.3 + - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.3 output: kind: image imageOptions: { diskSize: 1306525696, diskFormat: raw } diff --git a/packages/core/installer/images/talos/profiles/nocloud.yaml b/packages/core/installer/images/talos/profiles/nocloud.yaml index a2373c9e..67a8d14b 100644 --- a/packages/core/installer/images/talos/profiles/nocloud.yaml +++ b/packages/core/installer/images/talos/profiles/nocloud.yaml @@ -3,24 +3,24 @@ arch: amd64 platform: nocloud secureboot: false -version: v1.9.2 +version: v1.9.3 input: kernel: path: /usr/install/amd64/vmlinuz initramfs: path: /usr/install/amd64/initramfs.xz baseInstaller: - imageRef: ghcr.io/siderolabs/installer:v1.9.2 + imageRef: ghcr.io/siderolabs/installer:v1.9.3 systemExtensions: - - imageRef: ghcr.io/siderolabs/amd-ucode:20241210 + - imageRef: ghcr.io/siderolabs/amd-ucode:20250109 - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110 - - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210 + - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109 - imageRef: ghcr.io/siderolabs/i915-ucode:20241110 - - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210 + - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109 - imageRef: ghcr.io/siderolabs/intel-ucode:20241112 - - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210 - - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2 - - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2 + - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109 + - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.3 + - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.3 output: kind: image imageOptions: { diskSize: 1306525696, diskFormat: raw } From dacabe63172b3e294d0ba97f27d996ffa3921939 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Sat, 8 Feb 2025 22:07:12 +0100 Subject: [PATCH 5/7] Update cozy-proxy v0.1.1 (#624) --- packages/system/cozy-proxy/Chart.yaml | 2 +- packages/system/cozy-proxy/charts/cozy-proxy/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/system/cozy-proxy/Chart.yaml b/packages/system/cozy-proxy/Chart.yaml index 5dd1730b..9be3ef01 100644 --- a/packages/system/cozy-proxy/Chart.yaml +++ b/packages/system/cozy-proxy/Chart.yaml @@ -1,3 +1,3 @@ apiVersion: v2 -name: cozy-cozystack-api +name: cozy-cozy-proxy version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process diff --git a/packages/system/cozy-proxy/charts/cozy-proxy/values.yaml b/packages/system/cozy-proxy/charts/cozy-proxy/values.yaml index 57d246b5..099f2905 100644 --- a/packages/system/cozy-proxy/charts/cozy-proxy/values.yaml +++ b/packages/system/cozy-proxy/charts/cozy-proxy/values.yaml @@ -1,6 +1,6 @@ image: repository: ghcr.io/aenix-io/cozystack/cozy-proxy - tag: v0.1.0 + tag: v0.1.1 pullPolicy: IfNotPresent daemonset: From 6245976d3e144545078ffc11112000bed9228367 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Sat, 8 Feb 2025 22:07:24 +0100 Subject: [PATCH 6/7] Fix bootbox chartname (#623) --- packages/system/bootbox/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/system/bootbox/Chart.yaml b/packages/system/bootbox/Chart.yaml index dabadb65..1a0c732f 100644 --- a/packages/system/bootbox/Chart.yaml +++ b/packages/system/bootbox/Chart.yaml @@ -1,3 +1,3 @@ apiVersion: v2 -name: cozy-smee +name: cozy-bootbox version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process From 3fa4dd3af95a71659801b5c147cb0cce7329789b Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Sun, 9 Feb 2025 11:41:28 +0100 Subject: [PATCH 7/7] Prepare release v0.25.0 (#622) Signed-off-by: Andrei Kvapil ## Summary by CodeRabbit - **Chores** - Upgraded multiple system components to the latest version, ensuring improved performance, stability, and enhanced security. - Updated deployment and testing configurations across the platform for a more reliable user experience. Signed-off-by: Andrei Kvapil --- Makefile | 1 + manifests/cozystack-installer.yaml | 4 ++-- packages/apps/http-cache/images/nginx-cache.tag | 2 +- packages/apps/kubernetes/images/kubevirt-cloud-provider.tag | 2 +- packages/apps/kubernetes/images/kubevirt-csi-driver.tag | 2 +- packages/apps/kubernetes/images/ubuntu-container-disk.tag | 2 +- packages/core/installer/values.yaml | 2 +- packages/core/testing/values.yaml | 2 +- packages/extra/bootbox/images/matchbox.tag | 2 +- packages/extra/monitoring/images/grafana.tag | 2 +- packages/system/bucket/images/s3manager.tag | 2 +- packages/system/cilium/values.yaml | 4 ++-- packages/system/cozystack-api/values.yaml | 2 +- packages/system/cozystack-controller/values.yaml | 4 ++-- .../charts/kubeapps/templates/dashboard/configmap.yaml | 2 +- packages/system/dashboard/values.yaml | 4 ++-- packages/system/kamaji/values.yaml | 2 +- packages/system/kubeovn/values.yaml | 2 +- 18 files changed, 22 insertions(+), 21 deletions(-) diff --git a/Makefile b/Makefile index dda80d2e..1126c917 100644 --- a/Makefile +++ b/Makefile @@ -36,6 +36,7 @@ assets: make -C packages/core/installer/ assets test: + test -f _out/assets/nocloud-amd64.raw.xz || make -C packages/core/installer talos-nocloud make -C packages/core/testing apply make -C packages/core/testing test make -C packages/core/testing test-applications diff --git a/manifests/cozystack-installer.yaml b/manifests/cozystack-installer.yaml index c998e60b..b602a3aa 100644 --- a/manifests/cozystack-installer.yaml +++ b/manifests/cozystack-installer.yaml @@ -68,7 +68,7 @@ spec: serviceAccountName: cozystack containers: - name: cozystack - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.24.1" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.25.0" env: - name: KUBERNETES_SERVICE_HOST value: localhost @@ -87,7 +87,7 @@ spec: fieldRef: fieldPath: metadata.name - name: assets - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.24.1" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.25.0" command: - /usr/bin/cozystack-assets-server - "-dir=/cozystack/assets" diff --git a/packages/apps/http-cache/images/nginx-cache.tag b/packages/apps/http-cache/images/nginx-cache.tag index a5bb5700..f7046a4b 100644 --- a/packages/apps/http-cache/images/nginx-cache.tag +++ b/packages/apps/http-cache/images/nginx-cache.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:b311eb8eb0c50a2707a6aef06a34a33c3ca40f2041eb30e73dd338ea3d11f33e +ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:f30e9bd4b8a2a4362b88ac8974b12ed1ded631c4eeea87831bb446bb302b2e29 diff --git a/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag b/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag index f80e6d62..71c14cec 100644 --- a/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag +++ b/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.15.0@sha256:22302ca96a146617636bda107991825f6fcdb4599d360ab392aca1c00ed81a94 +ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.15.0@sha256:5efee8f76d0948936255c4cabad58057523502f77ceb40216ffae7e02841f85b diff --git a/packages/apps/kubernetes/images/kubevirt-csi-driver.tag b/packages/apps/kubernetes/images/kubevirt-csi-driver.tag index ea03b802..66fb2958 100644 --- a/packages/apps/kubernetes/images/kubevirt-csi-driver.tag +++ b/packages/apps/kubernetes/images/kubevirt-csi-driver.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.15.0@sha256:1318c7612391186b2a5d96c6fed2d13bd8fb2f6c13770e29e5d5abc517d9c138 +ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.15.0@sha256:daac6de8ad25de9d30eb5e928271cebaaa59193889231a54fd4f60e8a1c5f51a diff --git a/packages/apps/kubernetes/images/ubuntu-container-disk.tag b/packages/apps/kubernetes/images/ubuntu-container-disk.tag index d7618da4..20693c07 100644 --- a/packages/apps/kubernetes/images/ubuntu-container-disk.tag +++ b/packages/apps/kubernetes/images/ubuntu-container-disk.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:e4d153f11a545276cd299e893c28bf21c64eefa64ea25dbba3a0b40df0e3dbe9 +ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:7bacb7853e656b6149c3a38c5cd925891011eb94358d4d11e154082ab8b3a643 diff --git a/packages/core/installer/values.yaml b/packages/core/installer/values.yaml index dd1b87db..3561a91f 100644 --- a/packages/core/installer/values.yaml +++ b/packages/core/installer/values.yaml @@ -1,2 +1,2 @@ cozystack: - image: ghcr.io/aenix-io/cozystack/cozystack:v0.24.1@sha256:2a07ec771337e41720196311ef53b120f2925abfc389eb36bc3c785c71817abd + image: ghcr.io/aenix-io/cozystack/cozystack:v0.25.0@sha256:86860fd1ddcd9709cb2a756409bc4983c44cd09b961d3b677469767fc93a7e36 diff --git a/packages/core/testing/values.yaml b/packages/core/testing/values.yaml index 9d4ff557..af8fc237 100755 --- a/packages/core/testing/values.yaml +++ b/packages/core/testing/values.yaml @@ -1,2 +1,2 @@ e2e: - image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.24.1@sha256:3b4db74ce6225599fcf172a575a099e0ed365c81e62eb264bb49e38387232031 + image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.25.0@sha256:c9165c329fd2536e0342345792586d3e6f4007a6e6bd2cce133f17088fd3e785 diff --git a/packages/extra/bootbox/images/matchbox.tag b/packages/extra/bootbox/images/matchbox.tag index a6d54789..8e360bad 100644 --- a/packages/extra/bootbox/images/matchbox.tag +++ b/packages/extra/bootbox/images/matchbox.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/matchbox:v0.24.1@sha256:002d540c3a5583bfadbcbd436c2e582e51fc854068a2a7d2dba41072e921ca96 \ No newline at end of file +ghcr.io/aenix-io/cozystack/matchbox:v0.25.0@sha256:ffcfc340f19c7c6bc50f49d75b41c802df9bddc71d9e6fdeb9b9ad7dc242a5d1 diff --git a/packages/extra/monitoring/images/grafana.tag b/packages/extra/monitoring/images/grafana.tag index 4948a2ec..6c2e9856 100644 --- a/packages/extra/monitoring/images/grafana.tag +++ b/packages/extra/monitoring/images/grafana.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/grafana:1.8.0@sha256:1a484f970903cc38745251f3fbc1d4737065f2d0a8a08c0adccc8972aa25aa59 +ghcr.io/aenix-io/cozystack/grafana:1.8.0@sha256:0377abd3cb2c6e27b12ac297f1859aa4d550f1aa14989f824f2315d0dfd1a5b2 diff --git a/packages/system/bucket/images/s3manager.tag b/packages/system/bucket/images/s3manager.tag index 4165b940..956ec0ea 100644 --- a/packages/system/bucket/images/s3manager.tag +++ b/packages/system/bucket/images/s3manager.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:ced16c5ef3869e8ffbd0e880693b78ac47bdf310efcdb3e66ece6b22aaa5a75f +ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:e4a4ab82290e6fc940beb799d5c15c7ed76f9752d3fce21fae6c2596a5da20b0 diff --git a/packages/system/cilium/values.yaml b/packages/system/cilium/values.yaml index 7b753b2c..70ac5c9f 100644 --- a/packages/system/cilium/values.yaml +++ b/packages/system/cilium/values.yaml @@ -12,7 +12,7 @@ cilium: mode: "kubernetes" image: repository: ghcr.io/aenix-io/cozystack/cilium - tag: 1.16.5 - digest: "sha256:eae9d5531c115f8946990a731bfaaebc905b020a2957559b3c9f2ce1c655a834" + tag: 1.16.6 + digest: "sha256:cf64df62897b071d5a9a005564ecbfb9124aa82a96957e329ce28a187864f113" envoy: enabled: false diff --git a/packages/system/cozystack-api/values.yaml b/packages/system/cozystack-api/values.yaml index a06b6c66..b69ecac8 100644 --- a/packages/system/cozystack-api/values.yaml +++ b/packages/system/cozystack-api/values.yaml @@ -1,2 +1,2 @@ cozystackAPI: - image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.24.1@sha256:ab6f4852be7d2be5deea8ace6f8901d8cbf41e87d219fdb805047f7a2bcbd2ed + image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.25.0@sha256:513c49f8e2c1e2489faff03aacfcd609324ed5dc31ac594f9dd8a6feec0e7884 diff --git a/packages/system/cozystack-controller/values.yaml b/packages/system/cozystack-controller/values.yaml index 7b583eb2..92b28c61 100644 --- a/packages/system/cozystack-controller/values.yaml +++ b/packages/system/cozystack-controller/values.yaml @@ -1,5 +1,5 @@ cozystackController: - image: ghcr.io/aenix-io/cozystack/cozystack-controller:v0.24.1@sha256:e59a04c072c0c50c3174b34329830d05266f3c87a4235dc8fbd78d91be9ceb2c + image: ghcr.io/aenix-io/cozystack/cozystack-controller:v0.25.0@sha256:9fe9369a88f7bf317bf84cf05fe733f50879467bf7b2ab58f50d914ff1b253cc debug: false disableTelemetry: false - cozystackVersion: "v0.24.1" + cozystackVersion: "v0.25.0" diff --git a/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml b/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml index bb4782af..b7fb2ccf 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml @@ -76,7 +76,7 @@ data: "kubeappsNamespace": {{ .Release.Namespace | quote }}, "helmGlobalNamespace": {{ include "kubeapps.helmGlobalPackagingNamespace" . | quote }}, "carvelGlobalNamespace": {{ .Values.kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace | quote }}, - "appVersion": "v0.24.1", + "appVersion": "v0.25.0", "authProxyEnabled": {{ .Values.authProxy.enabled }}, "oauthLoginURI": {{ .Values.authProxy.oauthLoginURI | quote }}, "oauthLogoutURI": {{ .Values.authProxy.oauthLogoutURI | quote }}, diff --git a/packages/system/dashboard/values.yaml b/packages/system/dashboard/values.yaml index aebc11be..ca7a32a0 100644 --- a/packages/system/dashboard/values.yaml +++ b/packages/system/dashboard/values.yaml @@ -40,13 +40,13 @@ kubeapps: image: registry: ghcr.io/aenix-io/cozystack repository: dashboard - tag: v0.24.1 + tag: v0.25.0 digest: "sha256:81e7b625c667bce5fc339eb97c8e115eafb82f66df4501550b3677ac53f6e234" kubeappsapis: image: registry: ghcr.io/aenix-io/cozystack repository: kubeapps-apis - tag: v0.24.1 + tag: v0.25.0 digest: "sha256:72308ae00344d48e7ed58c5b1383874e84bcd82ac53b76857172b9ef510d53a6" pluginConfig: flux: diff --git a/packages/system/kamaji/values.yaml b/packages/system/kamaji/values.yaml index e6cf7d04..20eba221 100644 --- a/packages/system/kamaji/values.yaml +++ b/packages/system/kamaji/values.yaml @@ -3,7 +3,7 @@ kamaji: deploy: false image: pullPolicy: IfNotPresent - tag: v0.24.1@sha256:97a69a1ec6669d395f1d6875998903f94faf8f171d2c29f35c2f8b66fa06e676 + tag: v0.25.0@sha256:948a496a23b4b3158517473afd74a693380bfecb9f5346c214c8beef6deb405a repository: ghcr.io/aenix-io/cozystack/kamaji resources: limits: diff --git a/packages/system/kubeovn/values.yaml b/packages/system/kubeovn/values.yaml index 65f90081..717d0fe0 100644 --- a/packages/system/kubeovn/values.yaml +++ b/packages/system/kubeovn/values.yaml @@ -22,4 +22,4 @@ global: images: kubeovn: repository: kubeovn - tag: v1.13.2@sha256:f7c33e8b29dfe0fa908db994cdb8c4026ac562975e9ad70c8a4c81c0319d62a9 + tag: v1.13.2@sha256:fccaf6b1f6514378f4ba2e17399af5b0c20ecf13f78142409848486b0992e5fd