github-personal/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-01-27 18:18:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update cilium v1.16.1 (#300)

Browse Source
This commit is contained in:
Andrei Kvapil
2024-08-21 12:06:07 +02:00
committed by GitHub
parent 710605100f
commit fcccfd4f52
20 changed files with 184 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
packages/system/cilium/charts/cilium/Chart.yaml
View File

@@ -79,7 +79,7 @@ annotations:
Pod IP Pool\n description: |\n CiliumPodIPPool defines an IP pool that can
be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n"
apiVersion: v2
appVersion: 1.16.0
appVersion: 1.16.1
description: eBPF-based Networking, Security, and Observability
home: https://cilium.io/
icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
@@ -95,4 +95,4 @@ kubeVersion: '>= 1.21.0-0'
name: cilium
sources:
- https://github.com/cilium/cilium
version: 1.16.0
version: 1.16.1

46
packages/system/cilium/charts/cilium/README.md
View File

@@ -1,6 +1,6 @@
# cilium
![Version: 1.16.0](https://img.shields.io/badge/Version-1.16.0-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
![Version: 1.16.1](https://img.shields.io/badge/Version-1.16.1-informational?style=flat-square) ![AppVersion: 1.16.1](https://img.shields.io/badge/AppVersion-1.16.1-informational?style=flat-square)
Cilium is open source software for providing and transparently securing
network connectivity and loadbalancing between application workloads such as
@@ -46,7 +46,7 @@ offer from the [Getting Started Guides page](https://docs.cilium.io/en/stable/ge
## Getting Help
The best way to get help if you get stuck is to ask a question on the
[Cilium Slack channel](https://cilium.herokuapp.com/). With Cilium
[Cilium Slack channel](https://slack.cilium.io). With Cilium
contributors across the globe, there is almost always someone available to help.
## Values
@@ -182,7 +182,7 @@ contributors across the globe, there is almost always someone available to help.
| clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
| clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
| clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. |
| clustermesh.apiserver.image | object | `{"digest":"sha256:a1597b7de97cfa03f1330e6b784df1721eb69494cd9efb0b3a6930680dfe7a8e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.0","useDigest":true}` | Clustermesh API server image. |
| clustermesh.apiserver.image | object | `{"digest":"sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.1","useDigest":true}` | Clustermesh API server image. |
| clustermesh.apiserver.kvstoremesh.enabled | bool | `true` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
| clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
| clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
@@ -445,7 +445,7 @@ contributors across the globe, there is almost always someone available to help.
| hubble.export.fileMaxSizeMb | int | `10` | - Defines max file size of output file before it gets rotated. |
| hubble.export.static | object | `{"allowList":[],"denyList":[],"enabled":false,"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log"}` | - Static exporter configuration. Static exporter is bound to agent lifecycle. |
| hubble.listenAddress | string | `":4244"` | An additional address for Hubble to listen to. Set this field ":4244" if you are enabling Hubble Relay, as it assumes that Hubble is listening on port 4244. |
| hubble.metrics | object | `{"dashboards":{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null},"enableOpenMetrics":false,"enabled":null,"port":9965,"serviceAnnotations":{},"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}],"tlsConfig":{}},"tls":{"enabled":false,"server":{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":{"enabled":false,"key":"ca.crt","name":null,"useSecret":false}}}}` | Hubble metrics configuration. See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics for more comprehensive documentation about Hubble metrics. |
| hubble.metrics | object | `{"dashboards":{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null},"enableOpenMetrics":false,"enabled":null,"port":9965,"serviceAnnotations":{},"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}],"tlsConfig":{}},"tls":{"enabled":false,"server":{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":{"enabled":false,"key":"ca.crt","name":null,"useSecret":false}}}}` | Hubble metrics configuration. See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics for more comprehensive documentation about Hubble metrics. |
| hubble.metrics.dashboards | object | `{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}` | Grafana dashboards for hubble grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards |
| hubble.metrics.enableOpenMetrics | bool | `false` | Enables exporting hubble metrics in OpenMetrics format. |
| hubble.metrics.enabled | string | `nil` | Configures the list of metrics to collect. If empty or null, metrics are disabled. Example: enabled: - dns:query;ignoreAAAA - drop - tcp - flow - icmp - http You can specify the list of metrics from the helm CLI: --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" |
@@ -458,10 +458,11 @@ contributors across the globe, there is almost always someone available to help.
| hubble.metrics.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor hubble |
| hubble.metrics.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor hubble |
| hubble.metrics.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor hubble |
| hubble.metrics.tls.server.cert | string | `""` | base64 encoded PEM values for the Hubble metrics server certificate. |
| hubble.metrics.tls.server.cert | string | `""` | base64 encoded PEM values for the Hubble metrics server certificate (deprecated). Use existingSecret instead. |
| hubble.metrics.tls.server.existingSecret | string | `""` | Name of the Secret containing the certificate and key for the Hubble metrics server. If specified, cert and key are ignored. |
| hubble.metrics.tls.server.extraDnsNames | list | `[]` | Extra DNS names added to certificate when it's auto generated |
| hubble.metrics.tls.server.extraIpAddresses | list | `[]` | Extra IP addresses added to certificate when it's auto generated |
| hubble.metrics.tls.server.key | string | `""` | base64 encoded PEM values for the Hubble metrics server key. |
| hubble.metrics.tls.server.key | string | `""` | base64 encoded PEM values for the Hubble metrics server key (deprecated). Use existingSecret instead. |
| hubble.metrics.tls.server.mtls | object | `{"enabled":false,"key":"ca.crt","name":null,"useSecret":false}` | Configure mTLS for the Hubble metrics server. |
| hubble.metrics.tls.server.mtls.key | string | `"ca.crt"` | Entry of the ConfigMap containing the CA. |
| hubble.metrics.tls.server.mtls.name | string | `nil` | Name of the ConfigMap containing the CA to validate client certificates against. If mTLS is enabled and this is unspecified, it will default to the same CA used for Hubble metrics server certificates. |
@@ -483,7 +484,7 @@ contributors across the globe, there is almost always someone available to help.
| hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
| hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
| hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
| hubble.relay.image | object | `{"digest":"sha256:33fca7776fc3d7b2abe08873319353806dc1c5e07e12011d7da4da05f836ce8d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.0","useDigest":true}` | Hubble-relay container image. |
| hubble.relay.image | object | `{"digest":"sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.1","useDigest":true}` | Hubble-relay container image. |
| hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
| hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
| hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -515,17 +516,23 @@ contributors across the globe, there is almost always someone available to help.
| hubble.relay.sortBufferDrainTimeout | string | `nil` | When the per-request flows sort buffer is not full, a flow is drained every time this timeout is reached (only affects requests in follow-mode) (e.g. "1s"). |
| hubble.relay.sortBufferLenMax | int | `nil` | Max number of flows that can be buffered for sorting before being sent to the client (per request) (e.g. 100). |
| hubble.relay.terminationGracePeriodSeconds | int | `1` | Configure termination grace period for hubble relay Deployment. |
| hubble.relay.tls | object | `{"client":{"cert":"","key":""},"server":{"cert":"","enabled":false,"extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}}` | TLS configuration for Hubble Relay |
| hubble.relay.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values for the hubble-relay client certificate and private key This keypair is presented to Hubble server instances for mTLS authentication and is required when hubble.tls.enabled is true. These values need to be set manually if hubble.tls.auto.enabled is false. |
| hubble.relay.tls.server | object | `{"cert":"","enabled":false,"extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}` | base64 encoded PEM values for the hubble-relay server certificate and private key |
| hubble.relay.tls | object | `{"client":{"cert":"","existingSecret":"","key":""},"server":{"cert":"","enabled":false,"existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}}` | TLS configuration for Hubble Relay |
| hubble.relay.tls.client | object | `{"cert":"","existingSecret":"","key":""}` | The hubble-relay client certificate and private key. This keypair is presented to Hubble server instances for mTLS authentication and is required when hubble.tls.enabled is true. These values need to be set manually if hubble.tls.auto.enabled is false. |
| hubble.relay.tls.client.cert | string | `""` | base64 encoded PEM values for the Hubble relay client certificate (deprecated). Use existingSecret instead. |
| hubble.relay.tls.client.existingSecret | string | `""` | Name of the Secret containing the certificate and key for the Hubble metrics server. If specified, cert and key are ignored. |
| hubble.relay.tls.client.key | string | `""` | base64 encoded PEM values for the Hubble relay client key (deprecated). Use existingSecret instead. |
| hubble.relay.tls.server | object | `{"cert":"","enabled":false,"existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}` | The hubble-relay server certificate and private key |
| hubble.relay.tls.server.cert | string | `""` | base64 encoded PEM values for the Hubble relay server certificate (deprecated). Use existingSecret instead. |
| hubble.relay.tls.server.existingSecret | string | `""` | Name of the Secret containing the certificate and key for the Hubble relay server. If specified, cert and key are ignored. |
| hubble.relay.tls.server.extraDnsNames | list | `[]` | extra DNS names added to certificate when its auto gen |
| hubble.relay.tls.server.extraIpAddresses | list | `[]` | extra IP addresses added to certificate when its auto gen |
| hubble.relay.tls.server.key | string | `""` | base64 encoded PEM values for the Hubble relay server key (deprecated). Use existingSecret instead. |
| hubble.relay.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
| hubble.relay.topologySpreadConstraints | list | `[]` | Pod topology spread constraints for hubble-relay |
| hubble.relay.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-relay update strategy |
| hubble.skipUnknownCGroupIDs | bool | `true` | Skip Hubble events with unknown cgroup ids |
| hubble.socketPath | string | `"/var/run/cilium/hubble.sock"` | Unix domain socket path to listen to when Hubble is enabled. |
| hubble.tls | object | `{"auto":{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"},"enabled":true,"server":{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}}` | TLS configuration for Hubble |
| hubble.tls | object | `{"auto":{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"},"enabled":true,"server":{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}}` | TLS configuration for Hubble |
| hubble.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"}` | Configure automatic TLS certificates generation. |
| hubble.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when hubble.tls.auto.method=certmanager. |
| hubble.tls.auto.certValidityDuration | int | `1095` | Generated certificates validity duration in days. |
@@ -533,9 +540,12 @@ contributors across the globe, there is almost always someone available to help.
| hubble.tls.auto.method | string | `"helm"` | Set the method to auto-generate certificates. Supported values: - helm: This method uses Helm to generate all certificates. - cronJob: This method uses a Kubernetes CronJob the generate any certificates not provided by the user at installation time. - certmanager: This method use cert-manager to generate & rotate certificates. |
| hubble.tls.auto.schedule | string | `"0 0 1 */4 *"` | Schedule for certificates regeneration (regardless of their expiration date). Only used if method is "cronJob". If nil, then no recurring job will be created. Instead, only the one-shot job is deployed to generate the certificates at installation time. Defaults to midnight of the first day of every fourth month. For syntax, see https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax |
| hubble.tls.enabled | bool | `true` | Enable mutual TLS for listenAddress. Setting this value to false is highly discouraged as the Hubble API provides access to potentially sensitive network flow metadata and is exposed on the host network. |
| hubble.tls.server | object | `{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}` | base64 encoded PEM values for the Hubble server certificate and private key |
| hubble.tls.server | object | `{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}` | The Hubble server certificate and private key |
| hubble.tls.server.cert | string | `""` | base64 encoded PEM values for the Hubble server certificate (deprecated). Use existingSecret instead. |
| hubble.tls.server.existingSecret | string | `""` | Name of the Secret containing the certificate and key for the Hubble server. If specified, cert and key are ignored. |
| hubble.tls.server.extraDnsNames | list | `[]` | Extra DNS names added to certificate when it's auto generated |
| hubble.tls.server.extraIpAddresses | list | `[]` | Extra IP addresses added to certificate when it's auto generated |
| hubble.tls.server.key | string | `""` | base64 encoded PEM values for the Hubble server key (deprecated). Use existingSecret instead. |
| hubble.ui.affinity | object | `{}` | Affinity for hubble-ui |
| hubble.ui.annotations | object | `{}` | Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui) |
| hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. |
@@ -572,13 +582,15 @@ contributors across the globe, there is almost always someone available to help.
| hubble.ui.service.type | string | `"ClusterIP"` | - The type of service used for Hubble UI access, either ClusterIP or NodePort. |
| hubble.ui.standalone.enabled | bool | `false` | When true, it will allow installing the Hubble UI only, without checking dependencies. It is useful if a cluster already has cilium and Hubble relay installed and you just want Hubble UI to be deployed. When installed via helm, installing UI should be done via `helm upgrade` and when installed via the cilium cli, then `cilium hubble enable --ui` |
| hubble.ui.standalone.tls.certsVolume | object | `{}` | When deploying Hubble UI in standalone, with tls enabled for Hubble relay, it is required to provide a volume for mounting the client certificates. |
| hubble.ui.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values used to connect to hubble-relay This keypair is presented to Hubble Relay instances for mTLS authentication and is required when hubble.relay.tls.server.enabled is true. These values need to be set manually if hubble.tls.auto.enabled is false. |
| hubble.ui.tls.client.cert | string | `""` | base64 encoded PEM values for the Hubble UI client certificate (deprecated). Use existingSecret instead. |
| hubble.ui.tls.client.existingSecret | string | `""` | Name of the Secret containing the client certificate and key for Hubble UI If specified, cert and key are ignored. |
| hubble.ui.tls.client.key | string | `""` | base64 encoded PEM values for the Hubble UI client key (deprecated). Use existingSecret instead. |
| hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
| hubble.ui.topologySpreadConstraints | list | `[]` | Pod topology spread constraints for hubble-ui |
| hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
| identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
| identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
| image | object | `{"digest":"sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0","useDigest":true}` | Agent container image. |
| image | object | `{"digest":"sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.1","useDigest":true}` | Agent container image. |
| imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images |
| ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
| ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -657,6 +669,8 @@ contributors across the globe, there is almost always someone available to help.
| monitor | object | `{"enabled":false}` | cilium-monitor sidecar. |
| monitor.enabled | bool | `false` | Enable the cilium-monitor sidecar. |
| name | string | `"cilium"` | Agent container name. |
| nat.mapStatsEntries | int | `32` | Number of the top-k SNAT map connections to track in Cilium statedb. |
| nat.mapStatsInterval | string | `"30s"` | Interval between how often SNAT map is counted for stats. |
| nat46x64Gateway | object | `{"enabled":false}` | Configure standalone NAT46/NAT64 gateway |
| nat46x64Gateway.enabled | bool | `false` | Enable RFC8215-prefixed translation |
| nodeIPAM.enabled | bool | `false` | Configure Node IPAM ref: https://docs.cilium.io/en/stable/network/node-ipam/ |
@@ -703,7 +717,7 @@ contributors across the globe, there is almost always someone available to help.
| operator.hostNetwork | bool | `true` | HostNetwork setting |
| operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
| operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
| operator.image | object | `{"alibabacloudDigest":"sha256:d2d9f450f2fc650d74d4b3935f4c05736e61145b9c6927520ea52e1ebcf4f3ea","awsDigest":"sha256:8dbe47a77ba8e1a5b111647a43db10c213d1c7dfc9f9aab5ef7279321ad21a2f","azureDigest":"sha256:dd7562e20bc72b55c65e2110eb98dca1dd2bbf6688b7d8cea2bc0453992c121d","genericDigest":"sha256:d6621c11c4e4943bf2998af7febe05be5ed6fdcf812b27ad4388f47022190316","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.0","useDigest":true}` | cilium-operator image. |
| operator.image | object | `{"alibabacloudDigest":"sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804","awsDigest":"sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4","azureDigest":"sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22","genericDigest":"sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.1","useDigest":true}` | cilium-operator image. |
| operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
| operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
| operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -753,7 +767,7 @@ contributors across the globe, there is almost always someone available to help.
| preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
| preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
| preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
| preflight.image | object | `{"digest":"sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0","useDigest":true}` | Cilium pre-flight image. |
| preflight.image | object | `{"digest":"sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.1","useDigest":true}` | Cilium pre-flight image. |
| preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
| preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
| preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |

2
packages/system/cilium/charts/cilium/README.md.gotmpl
View File

@@ -48,7 +48,7 @@ offer from the [Getting Started Guides page](https://docs.cilium.io/en/stable/ge
## Getting Help
The best way to get help if you get stuck is to ask a question on the
[Cilium Slack channel](https://cilium.herokuapp.com/). With Cilium
[Cilium Slack channel](https://slack.cilium.io). With Cilium
contributors across the globe, there is almost always someone available to help.
{{ template "chart.valuesSection" . }}

4
packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml
View File

@@ -984,7 +984,7 @@ spec:
defaultMode: 0400
sources:
- secret:
name: hubble-server-certs
name: {{ .Values.hubble.tls.server.existingSecret | default "hubble-server-certs" }}
optional: true
items:
- key: tls.crt
@@ -1010,7 +1010,7 @@ spec:
defaultMode: 0400
sources:
- secret:
name: hubble-metrics-server-certs
name: {{ .Values.hubble.tls.server.existingSecret | default "hubble-metrics-server-certs" }}
optional: true
items:
- key: tls.crt

3
packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml
View File

@@ -1290,6 +1290,9 @@ data:
clustermesh-enable-endpoint-sync: {{ .Values.clustermesh.enableEndpointSliceSynchronization | quote }}
clustermesh-enable-mcs-api: {{ .Values.clustermesh.enableMCSAPISupport | quote }}
nat-map-stats-entries: {{ .Values.nat.mapStatsEntries | quote }}
nat-map-stats-interval: {{ .Values.nat.mapStatsInterval | quote }}
# Extra config allows adding arbitrary properties to the cilium config.
# By putting it at the end of the ConfigMap, it's also possible to override existing properties.
{{- if .Values.extraConfig }}

4
packages/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml
View File

@@ -170,7 +170,7 @@ spec:
defaultMode: 0400
sources:
- secret:
name: hubble-relay-client-certs
name: {{ .Values.hubble.relay.tls.client.existingSecret | default "hubble-relay-client-certs" }}
items:
- key: tls.crt
path: client.crt
@@ -188,7 +188,7 @@ spec:
{{- end }}
{{- if .Values.hubble.relay.tls.server.enabled }}
- secret:
name: hubble-relay-server-certs
name: {{ .Values.hubble.relay.tls.server.existingSecret | default "hubble-relay-server-certs" }}
items:
- key: tls.crt
path: server.crt

2
packages/system/cilium/charts/cilium/templates/hubble-ui/deployment.yaml
View File

@@ -186,7 +186,7 @@ spec:
defaultMode: 0400
sources:
- secret:
name: hubble-ui-client-certs
name: {{ .Values.hubble.ui.tls.client.existingSecret | default "hubble-ui-client-certs" }}
items:
- key: tls.crt
path: client.crt

4
packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl
View File

@@ -10,10 +10,6 @@ spec:
{{- end }}
spec:
securityContext:
{{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }}
appArmorProfile:
type: RuntimeDefault
{{- end }}
seccompProfile:
type: RuntimeDefault
containers:

2
packages/system/cilium/charts/cilium/templates/hubble/tls-provided/metrics-server-secret.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.agent .Values.hubble.enabled .Values.hubble.metrics.tls.enabled (not .Values.hubble.tls.auto.enabled) }}
{{- if and .Values.agent .Values.hubble.enabled .Values.hubble.metrics.tls.enabled (not .Values.hubble.tls.auto.enabled) (not .Values.hubble.metrics.tls.server.existingSecret) }}
apiVersion: v1
kind: Secret
metadata:

2
packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled }}
{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled (not .Values.hubble.relay.tls.client.existingSecret) }}
apiVersion: v1
kind: Secret
metadata:

2
packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }}
{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled (not .Values.hubble.relay.tls.server.existingSecret) }}
apiVersion: v1
kind: Secret
metadata:

2
packages/system/cilium/charts/cilium/templates/hubble/tls-provided/server-secret.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.agent .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) }}
{{- if and .Values.agent .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) (not .Values.hubble.tls.server.existingSecret) }}
apiVersion: v1
kind: Secret
metadata:

2
packages/system/cilium/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml
View File

@@ -1,4 +1,4 @@
{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.ui.enabled .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }}
{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.ui.enabled .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled (not .Values.hubble.ui.tls.client.existingSecret) }}
apiVersion: v1
kind: Secret
metadata:

4
packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml
View File

@@ -39,6 +39,10 @@ spec:
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
initContainers:
- name: init
image: {{ include "cilium.image" .Values.authentication.mutual.spire.install.initImage | quote }}

4
packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml
View File

@@ -38,6 +38,10 @@ spec:
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if gt (len .Values.authentication.mutual.spire.install.server.initContainers) 0 }}
initContainers:
{{- toYaml .Values.authentication.mutual.spire.install.server.initContainers | nindent 8 }}

26
packages/system/cilium/charts/cilium/values.schema.json
View File

@@ -2606,6 +2606,9 @@
"cert": {
"type": "string"
},
"existingSecret": {
"type": "string"
},
"extraDnsNames": {
"items": {},
"type": "array"
@@ -2981,6 +2984,9 @@
"cert": {
"type": "string"
},
"existingSecret": {
"type": "string"
},
"key": {
"type": "string"
}
@@ -2995,6 +3001,9 @@
"enabled": {
"type": "boolean"
},
"existingSecret": {
"type": "string"
},
"extraDnsNames": {
"items": {},
"type": "array"
@@ -3087,6 +3096,9 @@
"cert": {
"type": "string"
},
"existingSecret": {
"type": "string"
},
"extraDnsNames": {
"items": {},
"type": "array"
@@ -3372,6 +3384,9 @@
"cert": {
"type": "string"
},
"existingSecret": {
"type": "string"
},
"key": {
"type": "string"
}
@@ -3830,6 +3845,17 @@
"name": {
"type": "string"
},
"nat": {
"properties": {
"mapStatsEntries": {
"type": "integer"
},
"mapStatsInterval": {
"type": "string"
}
},
"type": "object"
},
"nat46x64Gateway": {
"properties": {
"enabled": {

79
packages/system/cilium/charts/cilium/values.yaml
View File

@@ -153,10 +153,10 @@ image:
# @schema
override: ~
repository: "quay.io/cilium/cilium"
tag: "v1.16.0"
tag: "v1.16.1"
pullPolicy: "IfNotPresent"
# cilium-digest
digest: "sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058"
digest: "sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39"
useDigest: true
# -- Affinity for cilium-agent.
affinity:
@@ -1077,9 +1077,14 @@ hubble:
enabled: false
# Configure hubble metrics server TLS.
server:
# -- base64 encoded PEM values for the Hubble metrics server certificate.
# -- Name of the Secret containing the certificate and key for the Hubble metrics server.
# If specified, cert and key are ignored.
existingSecret: ""
# -- base64 encoded PEM values for the Hubble metrics server certificate (deprecated).
# Use existingSecret instead.
cert: ""
# -- base64 encoded PEM values for the Hubble metrics server key.
# -- base64 encoded PEM values for the Hubble metrics server key (deprecated).
# Use existingSecret instead.
key: ""
# -- Extra DNS names added to certificate when it's auto generated
extraDnsNames: []
@@ -1277,9 +1282,16 @@ hubble:
# name: ca-issuer
# -- certmanager issuer used when hubble.tls.auto.method=certmanager.
certManagerIssuerRef: {}
# -- base64 encoded PEM values for the Hubble server certificate and private key
# -- The Hubble server certificate and private key
server:
# -- Name of the Secret containing the certificate and key for the Hubble server.
# If specified, cert and key are ignored.
existingSecret: ""
# -- base64 encoded PEM values for the Hubble server certificate (deprecated).
# Use existingSecret instead.
cert: ""
# -- base64 encoded PEM values for the Hubble server key (deprecated).
# Use existingSecret instead.
key: ""
# -- Extra DNS names added to certificate when it's auto generated
extraDnsNames: []
@@ -1297,9 +1309,9 @@ hubble:
# @schema
override: ~
repository: "quay.io/cilium/hubble-relay"
tag: "v1.16.0"
tag: "v1.16.1"
# hubble-relay-digest
digest: "sha256:33fca7776fc3d7b2abe08873319353806dc1c5e07e12011d7da4da05f836ce8d"
digest: "sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35"
useDigest: true
pullPolicy: "IfNotPresent"
# -- Specifies the resources for the hubble-relay pods
@@ -1391,14 +1403,21 @@ hubble:
listenPort: "4245"
# -- TLS configuration for Hubble Relay
tls:
# -- base64 encoded PEM values for the hubble-relay client certificate and private key
# -- The hubble-relay client certificate and private key.
# This keypair is presented to Hubble server instances for mTLS
# authentication and is required when hubble.tls.enabled is true.
# These values need to be set manually if hubble.tls.auto.enabled is false.
client:
# -- Name of the Secret containing the certificate and key for the Hubble metrics server.
# If specified, cert and key are ignored.
existingSecret: ""
# -- base64 encoded PEM values for the Hubble relay client certificate (deprecated).
# Use existingSecret instead.
cert: ""
# -- base64 encoded PEM values for the Hubble relay client key (deprecated).
# Use existingSecret instead.
key: ""
# -- base64 encoded PEM values for the hubble-relay server certificate and private key
# -- The hubble-relay server certificate and private key
server:
# When set to true, enable TLS on for Hubble Relay server
# (ie: for clients connecting to the Hubble Relay API).
@@ -1407,8 +1426,14 @@ hubble:
# False allow non-mutual TLS connections.
# This option has no effect when TLS is disabled.
mtls: false
# These values need to be set manually if hubble.tls.auto.enabled is false.
# -- Name of the Secret containing the certificate and key for the Hubble relay server.
# If specified, cert and key are ignored.
existingSecret: ""
# -- base64 encoded PEM values for the Hubble relay server certificate (deprecated).
# Use existingSecret instead.
cert: ""
# -- base64 encoded PEM values for the Hubble relay server key (deprecated).
# Use existingSecret instead.
key: ""
# -- extra DNS names added to certificate when its auto gen
extraDnsNames: []
@@ -1515,12 +1540,15 @@ hubble:
# -- Roll out Hubble-ui pods automatically when configmap is updated.
rollOutPods: false
tls:
# -- base64 encoded PEM values used to connect to hubble-relay
# This keypair is presented to Hubble Relay instances for mTLS
# authentication and is required when hubble.relay.tls.server.enabled is true.
# These values need to be set manually if hubble.tls.auto.enabled is false.
client:
# -- Name of the Secret containing the client certificate and key for Hubble UI
# If specified, cert and key are ignored.
existingSecret: ""
# -- base64 encoded PEM values for the Hubble UI client certificate (deprecated).
# Use existingSecret instead.
cert: ""
# -- base64 encoded PEM values for the Hubble UI client key (deprecated).
# Use existingSecret instead.
key: ""
backend:
# -- Hubble-ui backend image.
@@ -1886,6 +1914,11 @@ enableMasqueradeRouteSource: false
enableIPv4BIGTCP: false
# -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods
enableIPv6BIGTCP: false
nat:
# -- Number of the top-k SNAT map connections to track in Cilium statedb.
mapStatsEntries: 32
# -- Interval between how often SNAT map is counted for stats.
mapStatsInterval: 30s
egressGateway:
# -- Enables egress gateway to redirect and SNAT the traffic that leaves the
# cluster.
@@ -2441,15 +2474,15 @@ operator:
# @schema
override: ~
repository: "quay.io/cilium/operator"
tag: "v1.16.0"
tag: "v1.16.1"
# operator-generic-digest
genericDigest: "sha256:d6621c11c4e4943bf2998af7febe05be5ed6fdcf812b27ad4388f47022190316"
genericDigest: "sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4"
# operator-azure-digest
azureDigest: "sha256:dd7562e20bc72b55c65e2110eb98dca1dd2bbf6688b7d8cea2bc0453992c121d"
azureDigest: "sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22"
# operator-aws-digest
awsDigest: "sha256:8dbe47a77ba8e1a5b111647a43db10c213d1c7dfc9f9aab5ef7279321ad21a2f"
awsDigest: "sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4"
# operator-alibabacloud-digest
alibabacloudDigest: "sha256:d2d9f450f2fc650d74d4b3935f4c05736e61145b9c6927520ea52e1ebcf4f3ea"
alibabacloudDigest: "sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804"
useDigest: true
pullPolicy: "IfNotPresent"
suffix: ""
@@ -2723,9 +2756,9 @@ preflight:
# @schema
override: ~
repository: "quay.io/cilium/cilium"
tag: "v1.16.0"
tag: "v1.16.1"
# cilium-digest
digest: "sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058"
digest: "sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39"
useDigest: true
pullPolicy: "IfNotPresent"
# -- The priority class to use for the preflight pod.
@@ -2872,9 +2905,9 @@ clustermesh:
# @schema
override: ~
repository: "quay.io/cilium/clustermesh-apiserver"
tag: "v1.16.0"
tag: "v1.16.1"
# clustermesh-apiserver-digest
digest: "sha256:a1597b7de97cfa03f1330e6b784df1721eb69494cd9efb0b3a6930680dfe7a8e"
digest: "sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f"
useDigest: true
pullPolicy: "IfNotPresent"
# -- TCP port for the clustermesh-apiserver health API.

55
packages/system/cilium/charts/cilium/values.yaml.tmpl
View File

@@ -1086,9 +1086,14 @@ hubble:
enabled: false
# Configure hubble metrics server TLS.
server:
# -- base64 encoded PEM values for the Hubble metrics server certificate.
# -- Name of the Secret containing the certificate and key for the Hubble metrics server.
# If specified, cert and key are ignored.
existingSecret: ""
# -- base64 encoded PEM values for the Hubble metrics server certificate (deprecated).
# Use existingSecret instead.
cert: ""
# -- base64 encoded PEM values for the Hubble metrics server key.
# -- base64 encoded PEM values for the Hubble metrics server key (deprecated).
# Use existingSecret instead.
key: ""
# -- Extra DNS names added to certificate when it's auto generated
extraDnsNames: []
@@ -1286,9 +1291,16 @@ hubble:
# name: ca-issuer
# -- certmanager issuer used when hubble.tls.auto.method=certmanager.
certManagerIssuerRef: {}
# -- base64 encoded PEM values for the Hubble server certificate and private key
# -- The Hubble server certificate and private key
server:
# -- Name of the Secret containing the certificate and key for the Hubble server.
# If specified, cert and key are ignored.
existingSecret: ""
# -- base64 encoded PEM values for the Hubble server certificate (deprecated).
# Use existingSecret instead.
cert: ""
# -- base64 encoded PEM values for the Hubble server key (deprecated).
# Use existingSecret instead.
key: ""
# -- Extra DNS names added to certificate when it's auto generated
extraDnsNames: []
@@ -1400,14 +1412,21 @@ hubble:
listenPort: "4245"
# -- TLS configuration for Hubble Relay
tls:
# -- base64 encoded PEM values for the hubble-relay client certificate and private key
# -- The hubble-relay client certificate and private key.
# This keypair is presented to Hubble server instances for mTLS
# authentication and is required when hubble.tls.enabled is true.
# These values need to be set manually if hubble.tls.auto.enabled is false.
client:
# -- Name of the Secret containing the certificate and key for the Hubble metrics server.
# If specified, cert and key are ignored.
existingSecret: ""
# -- base64 encoded PEM values for the Hubble relay client certificate (deprecated).
# Use existingSecret instead.
cert: ""
# -- base64 encoded PEM values for the Hubble relay client key (deprecated).
# Use existingSecret instead.
key: ""
# -- base64 encoded PEM values for the hubble-relay server certificate and private key
# -- The hubble-relay server certificate and private key
server:
# When set to true, enable TLS on for Hubble Relay server
# (ie: for clients connecting to the Hubble Relay API).
@@ -1416,8 +1435,14 @@ hubble:
# False allow non-mutual TLS connections.
# This option has no effect when TLS is disabled.
mtls: false
# These values need to be set manually if hubble.tls.auto.enabled is false.
# -- Name of the Secret containing the certificate and key for the Hubble relay server.
# If specified, cert and key are ignored.
existingSecret: ""
# -- base64 encoded PEM values for the Hubble relay server certificate (deprecated).
# Use existingSecret instead.
cert: ""
# -- base64 encoded PEM values for the Hubble relay server key (deprecated).
# Use existingSecret instead.
key: ""
# -- extra DNS names added to certificate when its auto gen
extraDnsNames: []
@@ -1524,12 +1549,15 @@ hubble:
# -- Roll out Hubble-ui pods automatically when configmap is updated.
rollOutPods: false
tls:
# -- base64 encoded PEM values used to connect to hubble-relay
# This keypair is presented to Hubble Relay instances for mTLS
# authentication and is required when hubble.relay.tls.server.enabled is true.
# These values need to be set manually if hubble.tls.auto.enabled is false.
client:
# -- Name of the Secret containing the client certificate and key for Hubble UI
# If specified, cert and key are ignored.
existingSecret: ""
# -- base64 encoded PEM values for the Hubble UI client certificate (deprecated).
# Use existingSecret instead.
cert: ""
# -- base64 encoded PEM values for the Hubble UI client key (deprecated).
# Use existingSecret instead.
key: ""
backend:
# -- Hubble-ui backend image.
@@ -1897,6 +1925,13 @@ enableMasqueradeRouteSource: false
enableIPv4BIGTCP: false
# -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods
enableIPv6BIGTCP: false
nat:
# -- Number of the top-k SNAT map connections to track in Cilium statedb.
mapStatsEntries: 32
# -- Interval between how often SNAT map is counted for stats.
mapStatsInterval: 30s
egressGateway:
# -- Enables egress gateway to redirect and SNAT the traffic that leaves the
# cluster.

2
packages/system/cilium/images/cilium/Dockerfile
View File

@@ -1,2 +1,2 @@
ARG VERSION=v1.16.0
ARG VERSION=v1.16.1
FROM quay.io/cilium/cilium:${VERSION}

4
packages/system/cilium/values.yaml
View File

@@ -33,7 +33,7 @@ cilium:
value: "true"
image:
repository: ghcr.io/aenix-io/cozystack/cilium
tag: 1.16.0
digest: "sha256:6897e67f0ed8c7d5c27c8793a78283d6c1fa7a16e17c961ec3f2d5af7a72f645"
tag: latest
digest: "sha256:9593dbc3bd25487b52d8f43330d4a308e450605479a8384a32117e9613289892"
envoy:
enabled: false