github-personal/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-01-27 18:18:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Upd: Cilium to v1.17.2 (#796)

Browse Source 
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
This commit is contained in:
Andrei Kvapil
2025-04-10 14:35:07 +02:00
committed by GitHub
parent ba4798464d 4c220bb443
commit e5b81f367e
16 changed files with 176 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
packages/system/cilium/charts/cilium/Chart.yaml
View File

@@ -79,7 +79,7 @@ annotations:
Pod IP Pool\n description: |\n CiliumPodIPPool defines an IP pool that can
be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n"
apiVersion: v2
appVersion: 1.17.1
appVersion: 1.17.2
description: eBPF-based Networking, Security, and Observability
home: https://cilium.io/
icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
@@ -95,4 +95,4 @@ kubeVersion: '>= 1.21.0-0'
name: cilium
sources:
- https://github.com/cilium/cilium
version: 1.17.1
version: 1.17.2

26
packages/system/cilium/charts/cilium/README.md
View File

@@ -1,6 +1,6 @@
# cilium
![Version: 1.17.1](https://img.shields.io/badge/Version-1.17.1-informational?style=flat-square) ![AppVersion: 1.17.1](https://img.shields.io/badge/AppVersion-1.17.1-informational?style=flat-square)
![Version: 1.17.2](https://img.shields.io/badge/Version-1.17.2-informational?style=flat-square) ![AppVersion: 1.17.2](https://img.shields.io/badge/AppVersion-1.17.2-informational?style=flat-square)
Cilium is open source software for providing and transparently securing
network connectivity and loadbalancing between application workloads such as
@@ -85,7 +85,7 @@ contributors across the globe, there is almost always someone available to help.
| authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
| authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true |
| authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. |
| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:a5d0ce49aa801d475da48f8cb163c354ab95cab073cd3c138bd458fc8257fbf1","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.37.0","useDigest":true}` | init container image of SPIRE agent and server |
| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:498a000f370d8c37927118ed80afe8adc38d1edcbfc071627d17b25c88efcab0","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.37.0","useDigest":true}` | init container image of SPIRE agent and server |
| authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into |
| authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration |
| authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations |
@@ -131,6 +131,8 @@ contributors across the globe, there is almost always someone available to help.
| bpf.ctTcpMax | int | `524288` | Configure the maximum number of entries in the TCP connection tracking table. |
| bpf.datapathMode | string | `veth` | Mode for Pod devices for the core datapath (veth, netkit, netkit-l2, lb-only) |
| bpf.disableExternalIPMitigation | bool | `false` | Disable ExternalIP mitigation (CVE-2020-8554) |
| bpf.distributedLRU | object | `{"enabled":false}` | Control to use a distributed per-CPU backend memory for the core BPF LRU maps which Cilium uses. This improves performance significantly, but it is also recommended to increase BPF map sizing along with that. |
| bpf.distributedLRU.enabled | bool | `false` | Enable distributed LRU backend memory. For compatibility with existing installations it is off by default. |
| bpf.enableTCX | bool | `true` | Attach endpoint programs using tcx instead of legacy tc hooks on supported kernels. |
| bpf.events | object | `{"default":{"burstLimit":null,"rateLimit":null},"drop":{"enabled":true},"policyVerdict":{"enabled":true},"trace":{"enabled":true}}` | Control events generated by the Cilium datapath exposed to Cilium monitor and Hubble. Helm configuration for BPF events map rate limiting is experimental and might change in upcoming releases. |
| bpf.events.default | object | `{"burstLimit":null,"rateLimit":null}` | Default settings for all types of events except dbg and pcap. |
@@ -195,7 +197,7 @@ contributors across the globe, there is almost always someone available to help.
| clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
| clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
| clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. |
| clustermesh.apiserver.image | object | `{"digest":"sha256:1de22f46bfdd638de72c2224d5223ddc3bbeacda1803cb75799beca3d4bf7a4c","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.17.1","useDigest":true}` | Clustermesh API server image. |
| clustermesh.apiserver.image | object | `{"digest":"sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.17.2","useDigest":true}` | Clustermesh API server image. |
| clustermesh.apiserver.kvstoremesh.enabled | bool | `true` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
| clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
| clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
@@ -375,7 +377,7 @@ contributors across the globe, there is almost always someone available to help.
| envoy.healthPort | int | `9878` | TCP port for the health API. |
| envoy.httpRetryCount | int | `3` | Maximum number of retries for each HTTP request |
| envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
| envoy.image | object | `{"digest":"sha256:fc708bd36973d306412b2e50c924cd8333de67e0167802c9b48506f9d772f521","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.31.5-1739264036-958bef243c6c66fcfd73ca319f2eb49fff1eb2ae","useDigest":true}` | Envoy container image. |
| envoy.image | object | `{"digest":"sha256:377c78c13d2731f3720f931721ee309159e782d882251709cb0fac3b42c03f4b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211","useDigest":true}` | Envoy container image. |
| envoy.initialFetchTimeoutSeconds | int | `30` | Time in seconds after which the initial fetch on an xDS stream is considered timed out |
| envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
| envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
@@ -392,6 +394,7 @@ contributors across the globe, there is almost always someone available to help.
| envoy.podLabels | object | `{}` | Labels to be added to envoy pods |
| envoy.podSecurityContext | object | `{"appArmorProfile":{"type":"Unconfined"}}` | Security Context for cilium-envoy pods. |
| envoy.podSecurityContext.appArmorProfile | object | `{"type":"Unconfined"}` | AppArmorProfile options for the `cilium-agent` and init containers |
| envoy.policyRestoreTimeoutDuration | string | `nil` | Max duration to wait for endpoint policies to be restored on restart. Default "3m". |
| envoy.priorityClassName | string | `nil` | The priority class to use for cilium-envoy. |
| envoy.prometheus | object | `{"enabled":true,"port":"9964","serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]}}` | Configure Cilium Envoy Prometheus options. Note that some of these apply to either cilium-agent or cilium-envoy. |
| envoy.prometheus.enabled | bool | `true` | Enable prometheus metrics for cilium-envoy |
@@ -515,7 +518,7 @@ contributors across the globe, there is almost always someone available to help.
| hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
| hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
| hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
| hubble.relay.image | object | `{"digest":"sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.17.1","useDigest":true}` | Hubble-relay container image. |
| hubble.relay.image | object | `{"digest":"sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.17.2","useDigest":true}` | Hubble-relay container image. |
| hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
| hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
| hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -582,7 +585,7 @@ contributors across the globe, there is almost always someone available to help.
| hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. |
| hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. |
| hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. |
| hubble.ui.backend.image | object | `{"digest":"sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.1","useDigest":true}` | Hubble-ui backend image. |
| hubble.ui.backend.image | object | `{"digest":"sha256:a034b7e98e6ea796ed26df8f4e71f83fc16465a19d166eff67a03b822c0bfa15","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.2","useDigest":true}` | Hubble-ui backend image. |
| hubble.ui.backend.livenessProbe.enabled | bool | `false` | Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) |
| hubble.ui.backend.readinessProbe.enabled | bool | `false` | Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) |
| hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. |
@@ -592,7 +595,7 @@ contributors across the globe, there is almost always someone available to help.
| hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. |
| hubble.ui.frontend.extraVolumeMounts | list | `[]` | Additional hubble-ui frontend volumeMounts. |
| hubble.ui.frontend.extraVolumes | list | `[]` | Additional hubble-ui frontend volumes. |
| hubble.ui.frontend.image | object | `{"digest":"sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.1","useDigest":true}` | Hubble-ui frontend image. |
| hubble.ui.frontend.image | object | `{"digest":"sha256:9e37c1296b802830834cc87342a9182ccbb71ffebb711971e849221bd9d59392","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.2","useDigest":true}` | Hubble-ui frontend image. |
| hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. |
| hubble.ui.frontend.securityContext | object | `{}` | Hubble-ui frontend security context. |
| hubble.ui.frontend.server.ipv6 | object | `{"enabled":true}` | Controls server listener for ipv6 |
@@ -622,7 +625,7 @@ contributors across the globe, there is almost always someone available to help.
| hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
| identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd`, `kvstore` or `doublewrite-readkvstore` / `doublewrite-readcrd` for migrating between identity backends). |
| identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
| image | object | `{"digest":"sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.17.1","useDigest":true}` | Agent container image. |
| image | object | `{"digest":"sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.17.2","useDigest":true}` | Agent container image. |
| imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images |
| ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
| ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -759,7 +762,7 @@ contributors across the globe, there is almost always someone available to help.
| operator.hostNetwork | bool | `true` | HostNetwork setting |
| operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
| operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
| operator.image | object | `{"alibabacloudDigest":"sha256:034b479fba340f9d98510e509c7ce1c36e8889a109d5f1c2240fcb0942bc772c","awsDigest":"sha256:da74748057c836471bfdc0e65bb29ba0edb82916ec4b99f6a4f002b2fcc849d6","azureDigest":"sha256:b9e3e3994f5fcf1832e1f344f3b3b544832851b1990f124b2c2c68e3ffe04a9b","genericDigest":"sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.17.1","useDigest":true}` | cilium-operator image. |
| operator.image | object | `{"alibabacloudDigest":"sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe","awsDigest":"sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c","azureDigest":"sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0","genericDigest":"sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.17.2","useDigest":true}` | cilium-operator image. |
| operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
| operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
| operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -809,7 +812,7 @@ contributors across the globe, there is almost always someone available to help.
| preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
| preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
| preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
| preflight.image | object | `{"digest":"sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.17.1","useDigest":true}` | Cilium pre-flight image. |
| preflight.image | object | `{"digest":"sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.17.2","useDigest":true}` | Cilium pre-flight image. |
| preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
| preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
| preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
@@ -883,7 +886,7 @@ contributors across the globe, there is almost always someone available to help.
| tls.caBundle.useSecret | bool | `false` | Use a Secret instead of a ConfigMap. |
| tls.readSecretsOnlyFromSecretsNamespace | string | `nil` | Configure if the Cilium Agent will only look in `tls.secretsNamespace` for CiliumNetworkPolicy relevant Secrets. If false, the Cilium Agent will be granted READ (GET/LIST/WATCH) access to _all_ secrets in the entire cluster. This is not recommended and is included for backwards compatibility. This value obsoletes `tls.secretsBackend`, with `true` == `local` in the old setting, and `false` == `k8s`. |
| tls.secretSync | object | `{"enabled":null}` | Configures settings for synchronization of TLS Interception Secrets |
| tls.secretSync.enabled | string | `nil` | Enable synchronization of Secrets for TLS Interception. If disabled and tls.secretsBackend is set to 'k8s', then secrets will be read directly by the agent. |
| tls.secretSync.enabled | string | `nil` | Enable synchronization of Secrets for TLS Interception. If disabled and tls.readSecretsOnlyFromSecretsNamespace is set to 'false', then secrets will be read directly by the agent. |
| tls.secretsBackend | string | `nil` | This configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies (namely the secrets referenced by terminatingTLS and originatingTLS). This value is DEPRECATED and will be removed in a future version. Use `tls.readSecretsOnlyFromSecretsNamespace` instead. Possible values: - local - k8s |
| tls.secretsNamespace | object | `{"create":true,"name":"cilium-secrets"}` | Configures where secrets used in CiliumNetworkPolicies will be looked for |
| tls.secretsNamespace.create | bool | `true` | Create secrets namespace for TLS Interception secrets. |
@@ -891,6 +894,7 @@ contributors across the globe, there is almost always someone available to help.
| tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for agent scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
| tunnelPort | int | Port 8472 for VXLAN, Port 6081 for Geneve | Configure VXLAN and Geneve tunnel port. |
| tunnelProtocol | string | `"vxlan"` | Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. Possible values: - "" - vxlan - geneve |
| tunnelSourcePortRange | string | 0-0 to let the kernel driver decide the range | Configure VXLAN and Geneve tunnel source port range hint. |
| updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}` | Cilium agent update strategy |
| upgradeCompatibility | string | `nil` | upgradeCompatibility helps users upgrading to ensure that the configMap for Cilium will not change critical values to ensure continued operation This flag is not required for new installations. For example: '1.7', '1.8', '1.9' |
| vtep.cidr | string | `""` | A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24" |

11
packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml
View File

@@ -7,8 +7,15 @@ staticResources:
- name: "envoy-prometheus-metrics-listener"
address:
socketAddress:
address: "0.0.0.0"
address: {{ .Values.ipv4.enabled | ternary "0.0.0.0" "::" | quote }}
portValue: {{ .Values.envoy.prometheus.port }}
{{- if and .Values.ipv4.enabled .Values.ipv6.enabled }}
additionalAddresses:
- address:
socketAddress:
address: "::"
portValue: {{ .Values.envoy.prometheus.port }}
{{- end }}
filterChains:
- filters:
- name: "envoy.filters.network.http_connection_manager"
@@ -289,7 +296,7 @@ overloadManager:
applicationLogConfig:
logFormat:
{{- if .Values.envoy.log.format_json }}
jsonFormat: "{{ .Values.envoy.log.format_json | toJson }}"
jsonFormat: {{ .Values.envoy.log.format_json | toJson }}
{{- else }}
textFormat: "{{ .Values.envoy.log.format }}"
{{- end }}

6
packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml
View File

@@ -232,7 +232,7 @@ spec:
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
{{- if or .Values.prometheus.enabled .Values.hubble.metrics.enabled }}
{{- if or .Values.prometheus.enabled (or .Values.hubble.metrics.enabled .Values.hubble.metrics.dynamic.enabled) }}
ports:
- name: peer-service
containerPort: {{ .Values.hubble.peerService.targetPort }}
@@ -364,7 +364,7 @@ spec:
mountPath: {{ .Values.kubeConfigPath }}
readOnly: true
{{- end }}
{{- if and .Values.hubble.enabled .Values.hubble.metrics.enabled .Values.hubble.metrics.tls.enabled }}
{{- if and .Values.hubble.enabled (or .Values.hubble.metrics.enabled .Values.hubble.metrics.dynamic.enabled) .Values.hubble.metrics.tls.enabled }}
- name: hubble-metrics-tls
mountPath: /var/lib/cilium/tls/hubble-metrics
readOnly: true
@@ -999,7 +999,7 @@ spec:
path: client-ca.crt
{{- end }}
{{- end }}
{{- if and .Values.hubble.enabled .Values.hubble.metrics.enabled .Values.hubble.metrics.tls.enabled }}
{{- if and .Values.hubble.enabled (or .Values.hubble.metrics.enabled .Values.hubble.metrics.dynamic.enabled) .Values.hubble.metrics.tls.enabled }}
- name: hubble-metrics-tls
projected:
# note: the leading zero means this number is in octal representation: do not remove it

15
packages/system/cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml
View File

@@ -39,6 +39,9 @@ metadata:
{{- end }}
labels:
app.kubernetes.io/part-of: cilium
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -62,6 +65,9 @@ metadata:
{{- end }}
labels:
app.kubernetes.io/part-of: cilium
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -85,6 +91,9 @@ metadata:
{{- end }}
labels:
app.kubernetes.io/part-of: cilium
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -104,6 +113,9 @@ metadata:
namespace: {{ .Values.bgpControlPlane.secretsNamespace.name | quote }}
labels:
app.kubernetes.io/part-of: cilium
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -123,6 +135,9 @@ metadata:
namespace: {{ .Values.tls.secretsNamespace.name | quote }}
labels:
app.kubernetes.io/part-of: cilium
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role

3
packages/system/cilium/charts/cilium/templates/cilium-agent/service.yaml
View File

@@ -46,6 +46,9 @@ metadata:
k8s-app: cilium
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
clusterIP: None
type: ClusterIP

43
packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml
View File

@@ -403,7 +403,7 @@ data:
{{- if .Values.bpf.authMapMax }}
# bpf-auth-map-max specifies the maximum number of entries in the auth map
bpf-auth-map-max: {{ .Values.bpf.authMapMax | quote }}
bpf-auth-map-max: "{{ .Values.bpf.authMapMax | int }}"
{{- end }}
{{- if or $bpfCtTcpMax $bpfCtAnyMax }}
# bpf-ct-global-*-max specifies the maximum number of connections
@@ -419,34 +419,34 @@ data:
# For users upgrading from Cilium 1.2 or earlier, to minimize disruption
# during the upgrade process, set bpf-ct-global-tcp-max to 1000000.
{{- if $bpfCtTcpMax }}
bpf-ct-global-tcp-max: {{ $bpfCtTcpMax | quote }}
bpf-ct-global-tcp-max: "{{ $bpfCtTcpMax | int }}"
{{- end }}
{{- if $bpfCtAnyMax }}
bpf-ct-global-any-max: {{ $bpfCtAnyMax | quote }}
bpf-ct-global-any-max: "{{ $bpfCtAnyMax | int }}"
{{- end }}
{{- end }}
{{- if .Values.bpf.ctAccounting }}
bpf-conntrack-accounting: "{{ .Values.bpf.ctAccounting }}"
bpf-conntrack-accounting: "{{ .Values.bpf.ctAccounting | int }}"
{{- end }}
{{- if .Values.bpf.natMax }}
# bpf-nat-global-max specified the maximum number of entries in the
# BPF NAT table.
bpf-nat-global-max: "{{ .Values.bpf.natMax }}"
bpf-nat-global-max: "{{ .Values.bpf.natMax | int }}"
{{- end }}
{{- if .Values.bpf.neighMax }}
# bpf-neigh-global-max specified the maximum number of entries in the
# BPF neighbor table.
bpf-neigh-global-max: "{{ .Values.bpf.neighMax }}"
bpf-neigh-global-max: "{{ .Values.bpf.neighMax | int }}"
{{- end }}
{{- if hasKey .Values.bpf "policyMapMax" }}
# bpf-policy-map-max specifies the maximum number of entries in endpoint
# policy map (per endpoint)
bpf-policy-map-max: "{{ .Values.bpf.policyMapMax }}"
bpf-policy-map-max: "{{ .Values.bpf.policyMapMax | int }}"
{{- end }}
{{- if hasKey .Values.bpf "lbMapMax" }}
# bpf-lb-map-max specifies the maximum number of entries in bpf lb service,
# backend and affinity maps.
bpf-lb-map-max: "{{ .Values.bpf.lbMapMax }}"
bpf-lb-map-max: "{{ .Values.bpf.lbMapMax | int }}"
{{- end }}
{{- if hasKey .Values.bpf "lbExternalClusterIP" }}
bpf-lb-external-clusterip: {{ .Values.bpf.lbExternalClusterIP | quote }}
@@ -461,6 +461,7 @@ data:
bpf-lb-mode-annotation: {{ .Values.bpf.lbModeAnnotation | quote }}
{{- end }}
bpf-distributed-lru: {{ .Values.bpf.distributedLRU.enabled | quote }}
bpf-events-drop-enabled: {{ .Values.bpf.events.drop.enabled | quote }}
bpf-events-policy-verdict-enabled: {{ .Values.bpf.events.policyVerdict.enabled | quote }}
bpf-events-trace-enabled: {{ .Values.bpf.events.trace.enabled | quote }}
@@ -513,6 +514,9 @@ data:
{{- if .Values.tunnelPort }}
tunnel-port: {{ .Values.tunnelPort | quote }}
{{- end }}
{{- if .Values.tunnelSourcePortRange }}
tunnel-source-port-range: {{ .Values.tunnelSourcePortRange | quote }}
{{- end }}
{{- if .Values.serviceNoBackendResponse }}
service-no-backend-response: "{{ .Values.serviceNoBackendResponse }}"
@@ -927,9 +931,8 @@ data:
operator-api-serve-addr: {{ $defaultOperatorApiServeAddr | quote }}
{{- end }}
{{- if .Values.hubble.enabled }}
# Enable Hubble gRPC service.
enable-hubble: {{ .Values.hubble.enabled | quote }}
{{- if .Values.hubble.enabled }}
# UNIX domain socket for Hubble server to listen to.
hubble-socket-path: {{ .Values.hubble.socketPath | quote }}
{{- if hasKey .Values.hubble "eventQueueSize" }}
@@ -941,7 +944,7 @@ data:
# Capacity of the buffer to store recent events.
hubble-event-buffer-capacity: {{ .Values.hubble.eventBufferCapacity | quote }}
{{- end }}
{{- if .Values.hubble.metrics.enabled }}
{{- if or .Values.hubble.metrics.enabled .Values.hubble.metrics.dynamic.enabled}}
# Address to expose Hubble metrics (e.g. ":7070"). Metrics server will be disabled if this
# field is not set.
hubble-metrics-server: ":{{ .Values.hubble.metrics.port }}"
@@ -953,14 +956,20 @@ data:
hubble-metrics-server-tls-client-ca-files: /var/lib/cilium/tls/hubble-metrics/client-ca.crt
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.hubble.metrics.enabled }}
# A space separated list of metrics to enable. See [0] for available metrics.
#
# https://github.com/cilium/hubble/blob/master/Documentation/metrics.md
hubble-metrics: {{- range .Values.hubble.metrics.enabled }}
{{.}}
{{- end}}
{{- if .Values.hubble.metrics.dynamic.enabled }}
hubble-dynamic-metrics-config-path: /dynamic-metrics-config/dynamic-metrics.yaml
{{- end }}
enable-hubble-open-metrics: {{ .Values.hubble.metrics.enableOpenMetrics | quote }}
{{- end }}
{{- if .Values.hubble.redact }}
{{- if eq .Values.hubble.redact.enabled true }}
# Enables hubble redact capabilities
@@ -1004,10 +1013,6 @@ data:
hubble-flowlogs-config-path: /flowlog-config/flowlogs.yaml
{{- end }}
{{- end }}
{{- if .Values.hubble.metrics.dynamic.enabled }}
hubble-dynamic-metrics-config-path: /dynamic-metrics-config/dynamic-metrics.yaml
hubble-metrics-server: ":{{ .Values.hubble.metrics.port }}"
{{- end }}
{{- if hasKey .Values.hubble "listenAddress" }}
# An additional address for Hubble server to listen to (e.g. ":4244").
hubble-listen-address: {{ .Values.hubble.listenAddress | quote }}
@@ -1041,8 +1046,8 @@ data:
{{- else }}
ipam: {{ $ipam | quote }}
{{- end }}
{{- if hasKey .Values.ipam "multiPoolPreAllocation" }}
ipam-multi-pool-pre-allocation: {{ .Values.ipam.multiPoolPreAllocation }}
{{- if .Values.ipam.multiPoolPreAllocation }}
ipam-multi-pool-pre-allocation: {{ .Values.ipam.multiPoolPreAllocation | quote }}
{{- end }}
{{- if .Values.ipam.ciliumNodeUpdateRate }}
@@ -1335,6 +1340,10 @@ data:
external-envoy-proxy: {{ include "envoyDaemonSetEnabled" . | quote }}
envoy-base-id: {{ .Values.envoy.baseID | quote }}
{{- if .Values.envoy.policyRestoreTimeoutDuration }}
envoy-policy-restore-timeout: {{ .Values.envoy.policyRestoreTimeoutDuration | quote }}
{{- end }}
{{- if .Values.envoy.log.path }}
envoy-log: {{ .Values.envoy.log.path | quote }}
{{- end }}

6
packages/system/cilium/charts/cilium/templates/cilium-operator/role.yaml
View File

@@ -41,6 +41,9 @@ metadata:
{{- end }}
labels:
app.kubernetes.io/part-of: cilium
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
@@ -66,6 +69,9 @@ metadata:
{{- end }}
labels:
app.kubernetes.io/part-of: cilium
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""

27
packages/system/cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml
View File

@@ -7,24 +7,23 @@ kind: RoleBinding
metadata:
name: cilium-operator-ingress-secrets
namespace: {{ .Values.ingressController.secretsNamespace.name | quote }}
{{- with .Values.commonLabels }}
labels:
app.kubernetes.io/part-of: cilium
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- with .Values.operator.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cilium-operator-ingress-secrets
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccounts.operator.name | quote }}
namespace: {{ include "cilium.namespace" . }}
- kind: ServiceAccount
name: {{ .Values.serviceAccounts.operator.name | quote }}
namespace: {{ include "cilium.namespace" . }}
{{- end }}
{{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create .Values.gatewayAPI.enabled .Values.gatewayAPI.secretsNamespace.sync .Values.gatewayAPI.secretsNamespace.name }}
@@ -34,12 +33,15 @@ kind: RoleBinding
metadata:
name: cilium-operator-gateway-secrets
namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }}
labels:
app.kubernetes.io/part-of: cilium
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.operator.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -57,12 +59,15 @@ kind: RoleBinding
metadata:
name: cilium-operator-tlsinterception-secrets
namespace: {{ .Values.tls.secretsNamespace.name | quote }}
labels:
app.kubernetes.io/part-of: cilium
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.operator.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role

2
packages/system/cilium/charts/cilium/templates/hubble/servicemonitor.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.hubble.enabled .Values.hubble.metrics.enabled .Values.hubble.metrics.serviceMonitor.enabled }}
{{- if and .Values.hubble.enabled (or .Values.hubble.metrics.enabled .Values.hubble.metrics.dynamic.enabled) .Values.hubble.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:

11
packages/system/cilium/charts/cilium/templates/spire/server/service.yaml
View File

@@ -4,10 +4,13 @@ kind: Service
metadata:
name: spire-server
namespace: {{ .Values.authentication.mutual.spire.install.namespace }}
{{- with .Values.commonLabels }}
labels:
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- with .Values.authentication.mutual.spire.install.server.service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if or .Values.authentication.mutual.spire.install.server.service.annotations .Values.authentication.mutual.spire.annotations }}
annotations:
{{- with .Values.authentication.mutual.spire.annotations }}
@@ -17,10 +20,6 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- with .Values.authentication.mutual.spire.install.server.service.labels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
type: {{ .Values.authentication.mutual.spire.install.server.service.type }}
ports:

11
packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml
View File

@@ -4,10 +4,6 @@ kind: StatefulSet
metadata:
name: spire-server
namespace: {{ .Values.authentication.mutual.spire.install.namespace }}
{{- with .Values.commonLabels }}
labels:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if or .Values.authentication.mutual.spire.install.server.annotations .Values.authentication.mutual.spire.annotations }}
annotations:
{{- with .Values.authentication.mutual.spire.annotations }}
@@ -19,9 +15,12 @@ metadata:
{{- end }}
labels:
app: spire-server
{{- with .Values.authentication.mutual.spire.install.server.labels }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- with .Values.authentication.mutual.spire.install.server.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: 1
selector:

17
packages/system/cilium/charts/cilium/values.schema.json
View File

@@ -519,6 +519,14 @@
"disableExternalIPMitigation": {
"type": "boolean"
},
"distributedLRU": {
"properties": {
"enabled": {
"type": "boolean"
}
},
"type": "object"
},
"enableTCX": {
"type": "boolean"
},
@@ -2110,6 +2118,12 @@
},
"type": "object"
},
"policyRestoreTimeoutDuration": {
"type": [
"null",
"string"
]
},
"priorityClassName": {
"type": [
"null",
@@ -5462,6 +5476,9 @@
"tunnelProtocol": {
"type": "string"
},
"tunnelSourcePortRange": {
"type": "string"
},
"updateStrategy": {
"properties": {
"rollingUpdate": {

57
packages/system/cilium/charts/cilium/values.yaml
View File

@@ -191,10 +191,10 @@ image:
# @schema
override: ~
repository: "quay.io/cilium/cilium"
tag: "v1.17.1"
tag: "v1.17.2"
pullPolicy: "IfNotPresent"
# cilium-digest
digest: "sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866"
digest: "sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1"
useDigest: true
# -- Scheduling configurations for cilium pods
scheduling:
@@ -495,6 +495,13 @@ bpf:
# tracking table.
# @default -- `262144`
ctAnyMax: ~
# -- Control to use a distributed per-CPU backend memory for the core BPF LRU maps
# which Cilium uses. This improves performance significantly, but it is also
# recommended to increase BPF map sizing along with that.
distributedLRU:
# -- Enable distributed LRU backend memory. For compatibility with existing
# installations it is off by default.
enabled: false
# -- Control events generated by the Cilium datapath exposed to Cilium monitor and Hubble.
# Helm configuration for BPF events map rate limiting is experimental and might change
# in upcoming releases.
@@ -1433,9 +1440,9 @@ hubble:
# @schema
override: ~
repository: "quay.io/cilium/hubble-relay"
tag: "v1.17.1"
tag: "v1.17.2"
# hubble-relay-digest
digest: "sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc"
digest: "sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc"
useDigest: true
pullPolicy: "IfNotPresent"
# -- Specifies the resources for the hubble-relay pods
@@ -1684,8 +1691,8 @@ hubble:
# @schema
override: ~
repository: "quay.io/cilium/hubble-ui-backend"
tag: "v0.13.1"
digest: "sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b"
tag: "v0.13.2"
digest: "sha256:a034b7e98e6ea796ed26df8f4e71f83fc16465a19d166eff67a03b822c0bfa15"
useDigest: true
pullPolicy: "IfNotPresent"
# -- Hubble-ui backend security context.
@@ -1718,8 +1725,8 @@ hubble:
# @schema
override: ~
repository: "quay.io/cilium/hubble-ui"
tag: "v0.13.1"
digest: "sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6"
tag: "v0.13.2"
digest: "sha256:9e37c1296b802830834cc87342a9182ccbb71ffebb711971e849221bd9d59392"
useDigest: true
pullPolicy: "IfNotPresent"
# -- Hubble-ui frontend security context.
@@ -2332,6 +2339,11 @@ envoy:
xffNumTrustedHopsL7PolicyIngress: 0
# -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners.
xffNumTrustedHopsL7PolicyEgress: 0
# @schema
# type: [null, string]
# @schema
# -- Max duration to wait for endpoint policies to be restored on restart. Default "3m".
policyRestoreTimeoutDuration: null
# -- Envoy container image.
image:
# @schema
@@ -2339,9 +2351,9 @@ envoy:
# @schema
override: ~
repository: "quay.io/cilium/cilium-envoy"
tag: "v1.31.5-1739264036-958bef243c6c66fcfd73ca319f2eb49fff1eb2ae"
tag: "v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211"
pullPolicy: "IfNotPresent"
digest: "sha256:fc708bd36973d306412b2e50c924cd8333de67e0167802c9b48506f9d772f521"
digest: "sha256:377c78c13d2731f3720f931721ee309159e782d882251709cb0fac3b42c03f4b"
useDigest: true
# -- Additional containers added to the cilium Envoy DaemonSet.
extraContainers: []
@@ -2605,7 +2617,7 @@ tls:
# type: [null, boolean]
# @schema
# -- Enable synchronization of Secrets for TLS Interception. If disabled and
# tls.secretsBackend is set to 'k8s', then secrets will be read directly by the agent.
# tls.readSecretsOnlyFromSecretsNamespace is set to 'false', then secrets will be read directly by the agent.
enabled: ~
# -- Base64 encoded PEM values for the CA certificate and private key.
# This can be used as common CA to generate certificates used by hubble and clustermesh components.
@@ -2658,6 +2670,9 @@ routingMode: ""
# -- Configure VXLAN and Geneve tunnel port.
# @default -- Port 8472 for VXLAN, Port 6081 for Geneve
tunnelPort: 0
# -- Configure VXLAN and Geneve tunnel source port range hint.
# @default -- 0-0 to let the kernel driver decide the range
tunnelSourcePortRange: 0-0
# -- Configure what the response should be to traffic for a service without backends.
# Possible values:
# - reject (default)
@@ -2693,15 +2708,15 @@ operator:
# @schema
override: ~
repository: "quay.io/cilium/operator"
tag: "v1.17.1"
tag: "v1.17.2"
# operator-generic-digest
genericDigest: "sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97"
genericDigest: "sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249"
# operator-azure-digest
azureDigest: "sha256:b9e3e3994f5fcf1832e1f344f3b3b544832851b1990f124b2c2c68e3ffe04a9b"
azureDigest: "sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0"
# operator-aws-digest
awsDigest: "sha256:da74748057c836471bfdc0e65bb29ba0edb82916ec4b99f6a4f002b2fcc849d6"
awsDigest: "sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c"
# operator-alibabacloud-digest
alibabacloudDigest: "sha256:034b479fba340f9d98510e509c7ce1c36e8889a109d5f1c2240fcb0942bc772c"
alibabacloudDigest: "sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe"
useDigest: true
pullPolicy: "IfNotPresent"
suffix: ""
@@ -2976,9 +2991,9 @@ preflight:
# @schema
override: ~
repository: "quay.io/cilium/cilium"
tag: "v1.17.1"
tag: "v1.17.2"
# cilium-digest
digest: "sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866"
digest: "sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1"
useDigest: true
pullPolicy: "IfNotPresent"
# -- The priority class to use for the preflight pod.
@@ -3125,9 +3140,9 @@ clustermesh:
# @schema
override: ~
repository: "quay.io/cilium/clustermesh-apiserver"
tag: "v1.17.1"
tag: "v1.17.2"
# clustermesh-apiserver-digest
digest: "sha256:1de22f46bfdd638de72c2224d5223ddc3bbeacda1803cb75799beca3d4bf7a4c"
digest: "sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398"
useDigest: true
pullPolicy: "IfNotPresent"
# -- TCP port for the clustermesh-apiserver health API.
@@ -3634,7 +3649,7 @@ authentication:
override: ~
repository: "docker.io/library/busybox"
tag: "1.37.0"
digest: "sha256:a5d0ce49aa801d475da48f8cb163c354ab95cab073cd3c138bd458fc8257fbf1"
digest: "sha256:498a000f370d8c37927118ed80afe8adc38d1edcbfc071627d17b25c88efcab0"
useDigest: true
pullPolicy: "IfNotPresent"
# SPIRE agent configuration

17
packages/system/cilium/charts/cilium/values.yaml.tmpl
View File

@@ -500,6 +500,13 @@ bpf:
# tracking table.
# @default -- `262144`
ctAnyMax: ~
# -- Control to use a distributed per-CPU backend memory for the core BPF LRU maps
# which Cilium uses. This improves performance significantly, but it is also
# recommended to increase BPF map sizing along with that.
distributedLRU:
# -- Enable distributed LRU backend memory. For compatibility with existing
# installations it is off by default.
enabled: false
# -- Control events generated by the Cilium datapath exposed to Cilium monitor and Hubble.
# Helm configuration for BPF events map rate limiting is experimental and might change
# in upcoming releases.
@@ -2351,6 +2358,11 @@ envoy:
xffNumTrustedHopsL7PolicyIngress: 0
# -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners.
xffNumTrustedHopsL7PolicyEgress: 0
# @schema
# type: [null, string]
# @schema
# -- Max duration to wait for endpoint policies to be restored on restart. Default "3m".
policyRestoreTimeoutDuration: null
# -- Envoy container image.
image:
# @schema
@@ -2626,7 +2638,7 @@ tls:
# type: [null, boolean]
# @schema
# -- Enable synchronization of Secrets for TLS Interception. If disabled and
# tls.secretsBackend is set to 'k8s', then secrets will be read directly by the agent.
# tls.readSecretsOnlyFromSecretsNamespace is set to 'false', then secrets will be read directly by the agent.
enabled: ~
# -- Base64 encoded PEM values for the CA certificate and private key.
# This can be used as common CA to generate certificates used by hubble and clustermesh components.
@@ -2679,6 +2691,9 @@ routingMode: ""
# -- Configure VXLAN and Geneve tunnel port.
# @default -- Port 8472 for VXLAN, Port 6081 for Geneve
tunnelPort: 0
# -- Configure VXLAN and Geneve tunnel source port range hint.
# @default -- 0-0 to let the kernel driver decide the range
tunnelSourcePortRange: 0-0
# -- Configure what the response should be to traffic for a service without backends.
# Possible values:
# - reject (default)

2
packages/system/cilium/images/cilium/Dockerfile
View File

@@ -1,2 +1,2 @@
ARG VERSION=v1.17.1
ARG VERSION=v1.17.2
FROM quay.io/cilium/cilium:${VERSION}