diff --git a/packages/system/cilium/charts/cilium/Chart.yaml b/packages/system/cilium/charts/cilium/Chart.yaml index 007af862..2364c1c5 100644 --- a/packages/system/cilium/charts/cilium/Chart.yaml +++ b/packages/system/cilium/charts/cilium/Chart.yaml @@ -79,7 +79,7 @@ annotations: Pod IP Pool\n description: |\n CiliumPodIPPool defines an IP pool that can be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n" apiVersion: v2 -appVersion: 1.16.0 +appVersion: 1.16.1 description: eBPF-based Networking, Security, and Observability home: https://cilium.io/ icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg @@ -95,4 +95,4 @@ kubeVersion: '>= 1.21.0-0' name: cilium sources: - https://github.com/cilium/cilium -version: 1.16.0 +version: 1.16.1 diff --git a/packages/system/cilium/charts/cilium/README.md b/packages/system/cilium/charts/cilium/README.md index 2c293a58..464701c1 100644 --- a/packages/system/cilium/charts/cilium/README.md +++ b/packages/system/cilium/charts/cilium/README.md @@ -1,6 +1,6 @@ # cilium -![Version: 1.16.0](https://img.shields.io/badge/Version-1.16.0-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) +![Version: 1.16.1](https://img.shields.io/badge/Version-1.16.1-informational?style=flat-square) ![AppVersion: 1.16.1](https://img.shields.io/badge/AppVersion-1.16.1-informational?style=flat-square) Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as @@ -46,7 +46,7 @@ offer from the [Getting Started Guides page](https://docs.cilium.io/en/stable/ge ## Getting Help The best way to get help if you get stuck is to ask a question on the -[Cilium Slack channel](https://cilium.herokuapp.com/). With Cilium +[Cilium Slack channel](https://slack.cilium.io). With Cilium contributors across the globe, there is almost always someone available to help. ## Values @@ -182,7 +182,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | | clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. | -| clustermesh.apiserver.image | object | `{"digest":"sha256:a1597b7de97cfa03f1330e6b784df1721eb69494cd9efb0b3a6930680dfe7a8e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.0","useDigest":true}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.1","useDigest":true}` | Clustermesh API server image. | | clustermesh.apiserver.kvstoremesh.enabled | bool | `true` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. | | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. | | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. | @@ -445,7 +445,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.export.fileMaxSizeMb | int | `10` | - Defines max file size of output file before it gets rotated. | | hubble.export.static | object | `{"allowList":[],"denyList":[],"enabled":false,"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log"}` | - Static exporter configuration. Static exporter is bound to agent lifecycle. | | hubble.listenAddress | string | `":4244"` | An additional address for Hubble to listen to. Set this field ":4244" if you are enabling Hubble Relay, as it assumes that Hubble is listening on port 4244. | -| hubble.metrics | object | `{"dashboards":{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null},"enableOpenMetrics":false,"enabled":null,"port":9965,"serviceAnnotations":{},"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}],"tlsConfig":{}},"tls":{"enabled":false,"server":{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":{"enabled":false,"key":"ca.crt","name":null,"useSecret":false}}}}` | Hubble metrics configuration. See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics for more comprehensive documentation about Hubble metrics. | +| hubble.metrics | object | `{"dashboards":{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null},"enableOpenMetrics":false,"enabled":null,"port":9965,"serviceAnnotations":{},"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}],"tlsConfig":{}},"tls":{"enabled":false,"server":{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":{"enabled":false,"key":"ca.crt","name":null,"useSecret":false}}}}` | Hubble metrics configuration. See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics for more comprehensive documentation about Hubble metrics. | | hubble.metrics.dashboards | object | `{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}` | Grafana dashboards for hubble grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards | | hubble.metrics.enableOpenMetrics | bool | `false` | Enables exporting hubble metrics in OpenMetrics format. | | hubble.metrics.enabled | string | `nil` | Configures the list of metrics to collect. If empty or null, metrics are disabled. Example: enabled: - dns:query;ignoreAAAA - drop - tcp - flow - icmp - http You can specify the list of metrics from the helm CLI: --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" | @@ -458,10 +458,11 @@ contributors across the globe, there is almost always someone available to help. | hubble.metrics.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor hubble | | hubble.metrics.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor hubble | | hubble.metrics.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor hubble | -| hubble.metrics.tls.server.cert | string | `""` | base64 encoded PEM values for the Hubble metrics server certificate. | +| hubble.metrics.tls.server.cert | string | `""` | base64 encoded PEM values for the Hubble metrics server certificate (deprecated). Use existingSecret instead. | +| hubble.metrics.tls.server.existingSecret | string | `""` | Name of the Secret containing the certificate and key for the Hubble metrics server. If specified, cert and key are ignored. | | hubble.metrics.tls.server.extraDnsNames | list | `[]` | Extra DNS names added to certificate when it's auto generated | | hubble.metrics.tls.server.extraIpAddresses | list | `[]` | Extra IP addresses added to certificate when it's auto generated | -| hubble.metrics.tls.server.key | string | `""` | base64 encoded PEM values for the Hubble metrics server key. | +| hubble.metrics.tls.server.key | string | `""` | base64 encoded PEM values for the Hubble metrics server key (deprecated). Use existingSecret instead. | | hubble.metrics.tls.server.mtls | object | `{"enabled":false,"key":"ca.crt","name":null,"useSecret":false}` | Configure mTLS for the Hubble metrics server. | | hubble.metrics.tls.server.mtls.key | string | `"ca.crt"` | Entry of the ConfigMap containing the CA. | | hubble.metrics.tls.server.mtls.name | string | `nil` | Name of the ConfigMap containing the CA to validate client certificates against. If mTLS is enabled and this is unspecified, it will default to the same CA used for Hubble metrics server certificates. | @@ -483,7 +484,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. | | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay | | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay | -| hubble.relay.image | object | `{"digest":"sha256:33fca7776fc3d7b2abe08873319353806dc1c5e07e12011d7da4da05f836ce8d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.0","useDigest":true}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.1","useDigest":true}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -515,17 +516,23 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.sortBufferDrainTimeout | string | `nil` | When the per-request flows sort buffer is not full, a flow is drained every time this timeout is reached (only affects requests in follow-mode) (e.g. "1s"). | | hubble.relay.sortBufferLenMax | int | `nil` | Max number of flows that can be buffered for sorting before being sent to the client (per request) (e.g. 100). | | hubble.relay.terminationGracePeriodSeconds | int | `1` | Configure termination grace period for hubble relay Deployment. | -| hubble.relay.tls | object | `{"client":{"cert":"","key":""},"server":{"cert":"","enabled":false,"extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}}` | TLS configuration for Hubble Relay | -| hubble.relay.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values for the hubble-relay client certificate and private key This keypair is presented to Hubble server instances for mTLS authentication and is required when hubble.tls.enabled is true. These values need to be set manually if hubble.tls.auto.enabled is false. | -| hubble.relay.tls.server | object | `{"cert":"","enabled":false,"extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}` | base64 encoded PEM values for the hubble-relay server certificate and private key | +| hubble.relay.tls | object | `{"client":{"cert":"","existingSecret":"","key":""},"server":{"cert":"","enabled":false,"existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}}` | TLS configuration for Hubble Relay | +| hubble.relay.tls.client | object | `{"cert":"","existingSecret":"","key":""}` | The hubble-relay client certificate and private key. This keypair is presented to Hubble server instances for mTLS authentication and is required when hubble.tls.enabled is true. These values need to be set manually if hubble.tls.auto.enabled is false. | +| hubble.relay.tls.client.cert | string | `""` | base64 encoded PEM values for the Hubble relay client certificate (deprecated). Use existingSecret instead. | +| hubble.relay.tls.client.existingSecret | string | `""` | Name of the Secret containing the certificate and key for the Hubble metrics server. If specified, cert and key are ignored. | +| hubble.relay.tls.client.key | string | `""` | base64 encoded PEM values for the Hubble relay client key (deprecated). Use existingSecret instead. | +| hubble.relay.tls.server | object | `{"cert":"","enabled":false,"existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}` | The hubble-relay server certificate and private key | +| hubble.relay.tls.server.cert | string | `""` | base64 encoded PEM values for the Hubble relay server certificate (deprecated). Use existingSecret instead. | +| hubble.relay.tls.server.existingSecret | string | `""` | Name of the Secret containing the certificate and key for the Hubble relay server. If specified, cert and key are ignored. | | hubble.relay.tls.server.extraDnsNames | list | `[]` | extra DNS names added to certificate when its auto gen | | hubble.relay.tls.server.extraIpAddresses | list | `[]` | extra IP addresses added to certificate when its auto gen | +| hubble.relay.tls.server.key | string | `""` | base64 encoded PEM values for the Hubble relay server key (deprecated). Use existingSecret instead. | | hubble.relay.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | hubble.relay.topologySpreadConstraints | list | `[]` | Pod topology spread constraints for hubble-relay | | hubble.relay.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-relay update strategy | | hubble.skipUnknownCGroupIDs | bool | `true` | Skip Hubble events with unknown cgroup ids | | hubble.socketPath | string | `"/var/run/cilium/hubble.sock"` | Unix domain socket path to listen to when Hubble is enabled. | -| hubble.tls | object | `{"auto":{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"},"enabled":true,"server":{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}}` | TLS configuration for Hubble | +| hubble.tls | object | `{"auto":{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"},"enabled":true,"server":{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}}` | TLS configuration for Hubble | | hubble.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"}` | Configure automatic TLS certificates generation. | | hubble.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when hubble.tls.auto.method=certmanager. | | hubble.tls.auto.certValidityDuration | int | `1095` | Generated certificates validity duration in days. | @@ -533,9 +540,12 @@ contributors across the globe, there is almost always someone available to help. | hubble.tls.auto.method | string | `"helm"` | Set the method to auto-generate certificates. Supported values: - helm: This method uses Helm to generate all certificates. - cronJob: This method uses a Kubernetes CronJob the generate any certificates not provided by the user at installation time. - certmanager: This method use cert-manager to generate & rotate certificates. | | hubble.tls.auto.schedule | string | `"0 0 1 */4 *"` | Schedule for certificates regeneration (regardless of their expiration date). Only used if method is "cronJob". If nil, then no recurring job will be created. Instead, only the one-shot job is deployed to generate the certificates at installation time. Defaults to midnight of the first day of every fourth month. For syntax, see https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax | | hubble.tls.enabled | bool | `true` | Enable mutual TLS for listenAddress. Setting this value to false is highly discouraged as the Hubble API provides access to potentially sensitive network flow metadata and is exposed on the host network. | -| hubble.tls.server | object | `{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}` | base64 encoded PEM values for the Hubble server certificate and private key | +| hubble.tls.server | object | `{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}` | The Hubble server certificate and private key | +| hubble.tls.server.cert | string | `""` | base64 encoded PEM values for the Hubble server certificate (deprecated). Use existingSecret instead. | +| hubble.tls.server.existingSecret | string | `""` | Name of the Secret containing the certificate and key for the Hubble server. If specified, cert and key are ignored. | | hubble.tls.server.extraDnsNames | list | `[]` | Extra DNS names added to certificate when it's auto generated | | hubble.tls.server.extraIpAddresses | list | `[]` | Extra IP addresses added to certificate when it's auto generated | +| hubble.tls.server.key | string | `""` | base64 encoded PEM values for the Hubble server key (deprecated). Use existingSecret instead. | | hubble.ui.affinity | object | `{}` | Affinity for hubble-ui | | hubble.ui.annotations | object | `{}` | Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui) | | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. | @@ -572,13 +582,15 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.service.type | string | `"ClusterIP"` | - The type of service used for Hubble UI access, either ClusterIP or NodePort. | | hubble.ui.standalone.enabled | bool | `false` | When true, it will allow installing the Hubble UI only, without checking dependencies. It is useful if a cluster already has cilium and Hubble relay installed and you just want Hubble UI to be deployed. When installed via helm, installing UI should be done via `helm upgrade` and when installed via the cilium cli, then `cilium hubble enable --ui` | | hubble.ui.standalone.tls.certsVolume | object | `{}` | When deploying Hubble UI in standalone, with tls enabled for Hubble relay, it is required to provide a volume for mounting the client certificates. | -| hubble.ui.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values used to connect to hubble-relay This keypair is presented to Hubble Relay instances for mTLS authentication and is required when hubble.relay.tls.server.enabled is true. These values need to be set manually if hubble.tls.auto.enabled is false. | +| hubble.ui.tls.client.cert | string | `""` | base64 encoded PEM values for the Hubble UI client certificate (deprecated). Use existingSecret instead. | +| hubble.ui.tls.client.existingSecret | string | `""` | Name of the Secret containing the client certificate and key for Hubble UI If specified, cert and key are ignored. | +| hubble.ui.tls.client.key | string | `""` | base64 encoded PEM values for the Hubble UI client key (deprecated). Use existingSecret instead. | | hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | hubble.ui.topologySpreadConstraints | list | `[]` | Pod topology spread constraints for hubble-ui | | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0","useDigest":true}` | Agent container image. | +| image | object | `{"digest":"sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.1","useDigest":true}` | Agent container image. | | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. | @@ -657,6 +669,8 @@ contributors across the globe, there is almost always someone available to help. | monitor | object | `{"enabled":false}` | cilium-monitor sidecar. | | monitor.enabled | bool | `false` | Enable the cilium-monitor sidecar. | | name | string | `"cilium"` | Agent container name. | +| nat.mapStatsEntries | int | `32` | Number of the top-k SNAT map connections to track in Cilium statedb. | +| nat.mapStatsInterval | string | `"30s"` | Interval between how often SNAT map is counted for stats. | | nat46x64Gateway | object | `{"enabled":false}` | Configure standalone NAT46/NAT64 gateway | | nat46x64Gateway.enabled | bool | `false` | Enable RFC8215-prefixed translation | | nodeIPAM.enabled | bool | `false` | Configure Node IPAM ref: https://docs.cilium.io/en/stable/network/node-ipam/ | @@ -703,7 +717,7 @@ contributors across the globe, there is almost always someone available to help. | operator.hostNetwork | bool | `true` | HostNetwork setting | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"sha256:d2d9f450f2fc650d74d4b3935f4c05736e61145b9c6927520ea52e1ebcf4f3ea","awsDigest":"sha256:8dbe47a77ba8e1a5b111647a43db10c213d1c7dfc9f9aab5ef7279321ad21a2f","azureDigest":"sha256:dd7562e20bc72b55c65e2110eb98dca1dd2bbf6688b7d8cea2bc0453992c121d","genericDigest":"sha256:d6621c11c4e4943bf2998af7febe05be5ed6fdcf812b27ad4388f47022190316","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.0","useDigest":true}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804","awsDigest":"sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4","azureDigest":"sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22","genericDigest":"sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.1","useDigest":true}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -753,7 +767,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0","useDigest":true}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.1","useDigest":true}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | diff --git a/packages/system/cilium/charts/cilium/README.md.gotmpl b/packages/system/cilium/charts/cilium/README.md.gotmpl index db2d81b7..4aa7da8f 100644 --- a/packages/system/cilium/charts/cilium/README.md.gotmpl +++ b/packages/system/cilium/charts/cilium/README.md.gotmpl @@ -48,7 +48,7 @@ offer from the [Getting Started Guides page](https://docs.cilium.io/en/stable/ge ## Getting Help The best way to get help if you get stuck is to ask a question on the -[Cilium Slack channel](https://cilium.herokuapp.com/). With Cilium +[Cilium Slack channel](https://slack.cilium.io). With Cilium contributors across the globe, there is almost always someone available to help. {{ template "chart.valuesSection" . }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml index 474acc18..a78edbdc 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml @@ -984,7 +984,7 @@ spec: defaultMode: 0400 sources: - secret: - name: hubble-server-certs + name: {{ .Values.hubble.tls.server.existingSecret | default "hubble-server-certs" }} optional: true items: - key: tls.crt @@ -1010,7 +1010,7 @@ spec: defaultMode: 0400 sources: - secret: - name: hubble-metrics-server-certs + name: {{ .Values.hubble.tls.server.existingSecret | default "hubble-metrics-server-certs" }} optional: true items: - key: tls.crt diff --git a/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml b/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml index 946e6000..6dfc5312 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml @@ -1290,6 +1290,9 @@ data: clustermesh-enable-endpoint-sync: {{ .Values.clustermesh.enableEndpointSliceSynchronization | quote }} clustermesh-enable-mcs-api: {{ .Values.clustermesh.enableMCSAPISupport | quote }} + nat-map-stats-entries: {{ .Values.nat.mapStatsEntries | quote }} + nat-map-stats-interval: {{ .Values.nat.mapStatsInterval | quote }} + # Extra config allows adding arbitrary properties to the cilium config. # By putting it at the end of the ConfigMap, it's also possible to override existing properties. {{- if .Values.extraConfig }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml b/packages/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml index 074e2574..30d8d062 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml @@ -170,7 +170,7 @@ spec: defaultMode: 0400 sources: - secret: - name: hubble-relay-client-certs + name: {{ .Values.hubble.relay.tls.client.existingSecret | default "hubble-relay-client-certs" }} items: - key: tls.crt path: client.crt @@ -188,7 +188,7 @@ spec: {{- end }} {{- if .Values.hubble.relay.tls.server.enabled }} - secret: - name: hubble-relay-server-certs + name: {{ .Values.hubble.relay.tls.server.existingSecret | default "hubble-relay-server-certs" }} items: - key: tls.crt path: server.crt diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/deployment.yaml b/packages/system/cilium/charts/cilium/templates/hubble-ui/deployment.yaml index 105907a5..66f3b088 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/deployment.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/deployment.yaml @@ -186,7 +186,7 @@ spec: defaultMode: 0400 sources: - secret: - name: hubble-ui-client-certs + name: {{ .Values.hubble.ui.tls.client.existingSecret | default "hubble-ui-client-certs" }} items: - key: tls.crt path: client.crt diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl index 001a3e3c..49604160 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl @@ -10,10 +10,6 @@ spec: {{- end }} spec: securityContext: - {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} - appArmorProfile: - type: RuntimeDefault - {{- end }} seccompProfile: type: RuntimeDefault containers: diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/metrics-server-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/metrics-server-secret.yaml index f30f4572..d902ae9b 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/metrics-server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/metrics-server-secret.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.agent .Values.hubble.enabled .Values.hubble.metrics.tls.enabled (not .Values.hubble.tls.auto.enabled) }} +{{- if and .Values.agent .Values.hubble.enabled .Values.hubble.metrics.tls.enabled (not .Values.hubble.tls.auto.enabled) (not .Values.hubble.metrics.tls.server.existingSecret) }} apiVersion: v1 kind: Secret metadata: diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml index b1512ed2..28b540db 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled }} +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled (not .Values.hubble.relay.tls.client.existingSecret) }} apiVersion: v1 kind: Secret metadata: diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml index 07059143..187c781b 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled (not .Values.hubble.relay.tls.server.existingSecret) }} apiVersion: v1 kind: Secret metadata: diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/server-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/server-secret.yaml index f659a1fb..9991f0c9 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/server-secret.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.agent .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) }} +{{- if and .Values.agent .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) (not .Values.hubble.tls.server.existingSecret) }} apiVersion: v1 kind: Secret metadata: diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml index ca7683a4..6f0b45e2 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.ui.enabled .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.ui.enabled .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled (not .Values.hubble.ui.tls.client.existingSecret) }} apiVersion: v1 kind: Secret metadata: diff --git a/packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml b/packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml index 6c0bffe7..d8c80d9e 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml @@ -39,6 +39,10 @@ spec: securityContext: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} initContainers: - name: init image: {{ include "cilium.image" .Values.authentication.mutual.spire.install.initImage | quote }} diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml index 49ab9690..a47cbf5f 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml @@ -38,6 +38,10 @@ spec: securityContext: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} {{- if gt (len .Values.authentication.mutual.spire.install.server.initContainers) 0 }} initContainers: {{- toYaml .Values.authentication.mutual.spire.install.server.initContainers | nindent 8 }} diff --git a/packages/system/cilium/charts/cilium/values.schema.json b/packages/system/cilium/charts/cilium/values.schema.json index 3866ea93..a055f323 100644 --- a/packages/system/cilium/charts/cilium/values.schema.json +++ b/packages/system/cilium/charts/cilium/values.schema.json @@ -2606,6 +2606,9 @@ "cert": { "type": "string" }, + "existingSecret": { + "type": "string" + }, "extraDnsNames": { "items": {}, "type": "array" @@ -2981,6 +2984,9 @@ "cert": { "type": "string" }, + "existingSecret": { + "type": "string" + }, "key": { "type": "string" } @@ -2995,6 +3001,9 @@ "enabled": { "type": "boolean" }, + "existingSecret": { + "type": "string" + }, "extraDnsNames": { "items": {}, "type": "array" @@ -3087,6 +3096,9 @@ "cert": { "type": "string" }, + "existingSecret": { + "type": "string" + }, "extraDnsNames": { "items": {}, "type": "array" @@ -3372,6 +3384,9 @@ "cert": { "type": "string" }, + "existingSecret": { + "type": "string" + }, "key": { "type": "string" } @@ -3830,6 +3845,17 @@ "name": { "type": "string" }, + "nat": { + "properties": { + "mapStatsEntries": { + "type": "integer" + }, + "mapStatsInterval": { + "type": "string" + } + }, + "type": "object" + }, "nat46x64Gateway": { "properties": { "enabled": { diff --git a/packages/system/cilium/charts/cilium/values.yaml b/packages/system/cilium/charts/cilium/values.yaml index 6f198b35..dbaa6c6e 100644 --- a/packages/system/cilium/charts/cilium/values.yaml +++ b/packages/system/cilium/charts/cilium/values.yaml @@ -153,10 +153,10 @@ image: # @schema override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.16.0" + tag: "v1.16.1" pullPolicy: "IfNotPresent" # cilium-digest - digest: "sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058" + digest: "sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39" useDigest: true # -- Affinity for cilium-agent. affinity: @@ -1077,9 +1077,14 @@ hubble: enabled: false # Configure hubble metrics server TLS. server: - # -- base64 encoded PEM values for the Hubble metrics server certificate. + # -- Name of the Secret containing the certificate and key for the Hubble metrics server. + # If specified, cert and key are ignored. + existingSecret: "" + # -- base64 encoded PEM values for the Hubble metrics server certificate (deprecated). + # Use existingSecret instead. cert: "" - # -- base64 encoded PEM values for the Hubble metrics server key. + # -- base64 encoded PEM values for the Hubble metrics server key (deprecated). + # Use existingSecret instead. key: "" # -- Extra DNS names added to certificate when it's auto generated extraDnsNames: [] @@ -1277,9 +1282,16 @@ hubble: # name: ca-issuer # -- certmanager issuer used when hubble.tls.auto.method=certmanager. certManagerIssuerRef: {} - # -- base64 encoded PEM values for the Hubble server certificate and private key + # -- The Hubble server certificate and private key server: + # -- Name of the Secret containing the certificate and key for the Hubble server. + # If specified, cert and key are ignored. + existingSecret: "" + # -- base64 encoded PEM values for the Hubble server certificate (deprecated). + # Use existingSecret instead. cert: "" + # -- base64 encoded PEM values for the Hubble server key (deprecated). + # Use existingSecret instead. key: "" # -- Extra DNS names added to certificate when it's auto generated extraDnsNames: [] @@ -1297,9 +1309,9 @@ hubble: # @schema override: ~ repository: "quay.io/cilium/hubble-relay" - tag: "v1.16.0" + tag: "v1.16.1" # hubble-relay-digest - digest: "sha256:33fca7776fc3d7b2abe08873319353806dc1c5e07e12011d7da4da05f836ce8d" + digest: "sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35" useDigest: true pullPolicy: "IfNotPresent" # -- Specifies the resources for the hubble-relay pods @@ -1391,14 +1403,21 @@ hubble: listenPort: "4245" # -- TLS configuration for Hubble Relay tls: - # -- base64 encoded PEM values for the hubble-relay client certificate and private key + # -- The hubble-relay client certificate and private key. # This keypair is presented to Hubble server instances for mTLS # authentication and is required when hubble.tls.enabled is true. # These values need to be set manually if hubble.tls.auto.enabled is false. client: + # -- Name of the Secret containing the certificate and key for the Hubble metrics server. + # If specified, cert and key are ignored. + existingSecret: "" + # -- base64 encoded PEM values for the Hubble relay client certificate (deprecated). + # Use existingSecret instead. cert: "" + # -- base64 encoded PEM values for the Hubble relay client key (deprecated). + # Use existingSecret instead. key: "" - # -- base64 encoded PEM values for the hubble-relay server certificate and private key + # -- The hubble-relay server certificate and private key server: # When set to true, enable TLS on for Hubble Relay server # (ie: for clients connecting to the Hubble Relay API). @@ -1407,8 +1426,14 @@ hubble: # False allow non-mutual TLS connections. # This option has no effect when TLS is disabled. mtls: false - # These values need to be set manually if hubble.tls.auto.enabled is false. + # -- Name of the Secret containing the certificate and key for the Hubble relay server. + # If specified, cert and key are ignored. + existingSecret: "" + # -- base64 encoded PEM values for the Hubble relay server certificate (deprecated). + # Use existingSecret instead. cert: "" + # -- base64 encoded PEM values for the Hubble relay server key (deprecated). + # Use existingSecret instead. key: "" # -- extra DNS names added to certificate when its auto gen extraDnsNames: [] @@ -1515,12 +1540,15 @@ hubble: # -- Roll out Hubble-ui pods automatically when configmap is updated. rollOutPods: false tls: - # -- base64 encoded PEM values used to connect to hubble-relay - # This keypair is presented to Hubble Relay instances for mTLS - # authentication and is required when hubble.relay.tls.server.enabled is true. - # These values need to be set manually if hubble.tls.auto.enabled is false. client: + # -- Name of the Secret containing the client certificate and key for Hubble UI + # If specified, cert and key are ignored. + existingSecret: "" + # -- base64 encoded PEM values for the Hubble UI client certificate (deprecated). + # Use existingSecret instead. cert: "" + # -- base64 encoded PEM values for the Hubble UI client key (deprecated). + # Use existingSecret instead. key: "" backend: # -- Hubble-ui backend image. @@ -1886,6 +1914,11 @@ enableMasqueradeRouteSource: false enableIPv4BIGTCP: false # -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods enableIPv6BIGTCP: false +nat: + # -- Number of the top-k SNAT map connections to track in Cilium statedb. + mapStatsEntries: 32 + # -- Interval between how often SNAT map is counted for stats. + mapStatsInterval: 30s egressGateway: # -- Enables egress gateway to redirect and SNAT the traffic that leaves the # cluster. @@ -2441,15 +2474,15 @@ operator: # @schema override: ~ repository: "quay.io/cilium/operator" - tag: "v1.16.0" + tag: "v1.16.1" # operator-generic-digest - genericDigest: "sha256:d6621c11c4e4943bf2998af7febe05be5ed6fdcf812b27ad4388f47022190316" + genericDigest: "sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4" # operator-azure-digest - azureDigest: "sha256:dd7562e20bc72b55c65e2110eb98dca1dd2bbf6688b7d8cea2bc0453992c121d" + azureDigest: "sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22" # operator-aws-digest - awsDigest: "sha256:8dbe47a77ba8e1a5b111647a43db10c213d1c7dfc9f9aab5ef7279321ad21a2f" + awsDigest: "sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4" # operator-alibabacloud-digest - alibabacloudDigest: "sha256:d2d9f450f2fc650d74d4b3935f4c05736e61145b9c6927520ea52e1ebcf4f3ea" + alibabacloudDigest: "sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804" useDigest: true pullPolicy: "IfNotPresent" suffix: "" @@ -2723,9 +2756,9 @@ preflight: # @schema override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.16.0" + tag: "v1.16.1" # cilium-digest - digest: "sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058" + digest: "sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39" useDigest: true pullPolicy: "IfNotPresent" # -- The priority class to use for the preflight pod. @@ -2872,9 +2905,9 @@ clustermesh: # @schema override: ~ repository: "quay.io/cilium/clustermesh-apiserver" - tag: "v1.16.0" + tag: "v1.16.1" # clustermesh-apiserver-digest - digest: "sha256:a1597b7de97cfa03f1330e6b784df1721eb69494cd9efb0b3a6930680dfe7a8e" + digest: "sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f" useDigest: true pullPolicy: "IfNotPresent" # -- TCP port for the clustermesh-apiserver health API. diff --git a/packages/system/cilium/charts/cilium/values.yaml.tmpl b/packages/system/cilium/charts/cilium/values.yaml.tmpl index e46a0394..5c57d16a 100644 --- a/packages/system/cilium/charts/cilium/values.yaml.tmpl +++ b/packages/system/cilium/charts/cilium/values.yaml.tmpl @@ -1086,9 +1086,14 @@ hubble: enabled: false # Configure hubble metrics server TLS. server: - # -- base64 encoded PEM values for the Hubble metrics server certificate. + # -- Name of the Secret containing the certificate and key for the Hubble metrics server. + # If specified, cert and key are ignored. + existingSecret: "" + # -- base64 encoded PEM values for the Hubble metrics server certificate (deprecated). + # Use existingSecret instead. cert: "" - # -- base64 encoded PEM values for the Hubble metrics server key. + # -- base64 encoded PEM values for the Hubble metrics server key (deprecated). + # Use existingSecret instead. key: "" # -- Extra DNS names added to certificate when it's auto generated extraDnsNames: [] @@ -1286,9 +1291,16 @@ hubble: # name: ca-issuer # -- certmanager issuer used when hubble.tls.auto.method=certmanager. certManagerIssuerRef: {} - # -- base64 encoded PEM values for the Hubble server certificate and private key + # -- The Hubble server certificate and private key server: + # -- Name of the Secret containing the certificate and key for the Hubble server. + # If specified, cert and key are ignored. + existingSecret: "" + # -- base64 encoded PEM values for the Hubble server certificate (deprecated). + # Use existingSecret instead. cert: "" + # -- base64 encoded PEM values for the Hubble server key (deprecated). + # Use existingSecret instead. key: "" # -- Extra DNS names added to certificate when it's auto generated extraDnsNames: [] @@ -1400,14 +1412,21 @@ hubble: listenPort: "4245" # -- TLS configuration for Hubble Relay tls: - # -- base64 encoded PEM values for the hubble-relay client certificate and private key + # -- The hubble-relay client certificate and private key. # This keypair is presented to Hubble server instances for mTLS # authentication and is required when hubble.tls.enabled is true. # These values need to be set manually if hubble.tls.auto.enabled is false. client: + # -- Name of the Secret containing the certificate and key for the Hubble metrics server. + # If specified, cert and key are ignored. + existingSecret: "" + # -- base64 encoded PEM values for the Hubble relay client certificate (deprecated). + # Use existingSecret instead. cert: "" + # -- base64 encoded PEM values for the Hubble relay client key (deprecated). + # Use existingSecret instead. key: "" - # -- base64 encoded PEM values for the hubble-relay server certificate and private key + # -- The hubble-relay server certificate and private key server: # When set to true, enable TLS on for Hubble Relay server # (ie: for clients connecting to the Hubble Relay API). @@ -1416,8 +1435,14 @@ hubble: # False allow non-mutual TLS connections. # This option has no effect when TLS is disabled. mtls: false - # These values need to be set manually if hubble.tls.auto.enabled is false. + # -- Name of the Secret containing the certificate and key for the Hubble relay server. + # If specified, cert and key are ignored. + existingSecret: "" + # -- base64 encoded PEM values for the Hubble relay server certificate (deprecated). + # Use existingSecret instead. cert: "" + # -- base64 encoded PEM values for the Hubble relay server key (deprecated). + # Use existingSecret instead. key: "" # -- extra DNS names added to certificate when its auto gen extraDnsNames: [] @@ -1524,12 +1549,15 @@ hubble: # -- Roll out Hubble-ui pods automatically when configmap is updated. rollOutPods: false tls: - # -- base64 encoded PEM values used to connect to hubble-relay - # This keypair is presented to Hubble Relay instances for mTLS - # authentication and is required when hubble.relay.tls.server.enabled is true. - # These values need to be set manually if hubble.tls.auto.enabled is false. client: + # -- Name of the Secret containing the client certificate and key for Hubble UI + # If specified, cert and key are ignored. + existingSecret: "" + # -- base64 encoded PEM values for the Hubble UI client certificate (deprecated). + # Use existingSecret instead. cert: "" + # -- base64 encoded PEM values for the Hubble UI client key (deprecated). + # Use existingSecret instead. key: "" backend: # -- Hubble-ui backend image. @@ -1897,6 +1925,13 @@ enableMasqueradeRouteSource: false enableIPv4BIGTCP: false # -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods enableIPv6BIGTCP: false + +nat: + # -- Number of the top-k SNAT map connections to track in Cilium statedb. + mapStatsEntries: 32 + # -- Interval between how often SNAT map is counted for stats. + mapStatsInterval: 30s + egressGateway: # -- Enables egress gateway to redirect and SNAT the traffic that leaves the # cluster. diff --git a/packages/system/cilium/images/cilium/Dockerfile b/packages/system/cilium/images/cilium/Dockerfile index 8d122a62..fe63bd05 100644 --- a/packages/system/cilium/images/cilium/Dockerfile +++ b/packages/system/cilium/images/cilium/Dockerfile @@ -1,2 +1,2 @@ -ARG VERSION=v1.16.0 +ARG VERSION=v1.16.1 FROM quay.io/cilium/cilium:${VERSION} diff --git a/packages/system/cilium/values.yaml b/packages/system/cilium/values.yaml index 29949a5d..5f8d8008 100644 --- a/packages/system/cilium/values.yaml +++ b/packages/system/cilium/values.yaml @@ -33,7 +33,7 @@ cilium: value: "true" image: repository: ghcr.io/aenix-io/cozystack/cilium - tag: 1.16.0 - digest: "sha256:6897e67f0ed8c7d5c27c8793a78283d6c1fa7a16e17c961ec3f2d5af7a72f645" + tag: latest + digest: "sha256:9593dbc3bd25487b52d8f43330d4a308e450605479a8384a32117e9613289892" envoy: enabled: false