github-personal/terraform-render-bootstrap
1
0
Fork 0
mirror of https://github.com/outbackdingo/terraform-render-bootstrap.git synced 2026-01-27 18:20:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update Cilium from v1.10.5 to v1.11.0

Browse Source 
* https://github.com/cilium/cilium/releases/tag/v1.11.0
This commit is contained in:
Dalton Hubble
2021-12-10 09:52:25 -08:00
parent 8add7022d1
commit 37f45cb28b
5 changed files with 31 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
resources/cilium/cluster-role.yaml
View File

@@ -70,6 +70,7 @@ rules:
- ciliumlocalredirectpolicies
- ciliumlocalredirectpolicies/status
- ciliumlocalredirectpolicies/finalizers
- ciliumendpointslices
verbs:
- '*'
- apiGroups:
@@ -134,6 +135,7 @@ rules:
- list
- watch
- update
- delete
- apiGroups:
- ""
resources:
@@ -182,6 +184,7 @@ rules:
- ciliumlocalredirectpolicies/status
- ciliumlocalredirectpolicies/finalizers
- ciliumegressnatpolicies
- ciliumendpointslices
verbs:
- '*'

49
resources/cilium/config.yaml
View File

@@ -15,19 +15,14 @@ data:
# the kvstore by commenting out the identity-allocation-mode below, or
# setting it to "kvstore".
identity-allocation-mode: crd
# identity-change-grace-period is the grace period that needs to pass
# before an endpoint that has changed its identity will start using
# that new identity. During the grace period, the new identity has
# already been allocated and other nodes in the cluster have a chance
# to whitelist the new upcoming identity of the endpoint.
identity-change-grace-period: "5s"
cilium-endpoint-gc-interval: "5m0s"
# If you want to run cilium in debug mode change this value to true
debug: "false"
# TCP liveness and readiness probes (prefer exec probe for now)
agent-health-port: "9876"
# The agent can be put into the following three policy enforcement modes
# default, always and never.
# https://docs.cilium.io/en/latest/policy/intro/#policy-enforcement-modes
enable-policy: "default"
# Prometheus
# enable-metrics: "true"
@@ -65,17 +60,16 @@ data:
# Only effective when monitor aggregation is set to "medium" or higher.
monitor-aggregation-flags: all
# bpf-policy-map-max specified the maximum number of entries in endpoint
# policy map (per endpoint)
bpf-policy-map-max: "16384"
# bpf-lb-map-max specifies the maximum number of entries in bpf lb service,
# backend and affinity maps.
bpf-lb-map-max: "65536"
# Specifies the ratio (0.0-1.0) of total system memory to use for dynamic
# sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps.
bpf-map-dynamic-size-ratio: "0.0025"
# bpf-policy-map-max specified the maximum number of entries in endpoint
# policy map (per endpoint)
bpf-policy-map-max: "16384"
# bpf-lb-map-max specifies the maximum number of entries in bpf lb service,
# backend and affinity maps.
bpf-lb-map-max: "65536"
bpf-lb-external-clusterip: "true"
# Pre-allocation of map entries allows per-packet latency to be reduced, at
# the expense of up-front memory allocation for the entries in the maps. The
@@ -94,15 +88,20 @@ data:
# 1.4 or later, then it may cause one-time disruptions during the upgrade.
preallocate-bpf-maps: "false"
# Name of the cluster. Only relevant when building a mesh of clusters.
cluster-name: default
# Unique ID of the cluster. Must be unique across all conneted clusters and
# in the range of 1 and 255. Only relevant when building a mesh of clusters.
cluster-id: ""
# Encapsulation mode for communication between nodes
# Possible values:
# - disabled
# - vxlan (default)
# - geneve
tunnel: vxlan
# Name of the cluster. Only relevant when building a mesh of clusters.
cluster-name: default
# Enables L7 proxy for L7 policy enforcement and visibility
enable-l7-proxy: "true"
auto-direct-node-routes: "false"
@@ -123,12 +122,11 @@ data:
masquerade: "true"
# bpfMasquerade enables masquerading with BPF instead of iptables
enable-bpf-masquerade: "true"
bpf-lb-external-clusterip: "true"
# kube-proxy
kube-proxy-replacement: "probe"
kube-proxy-replacement-healthz-bind-address: ""
enable-session-affinity: "false"
enable-session-affinity: "true"
# ClusterIPs from host namespace
enable-host-reachable-services: "false"
@@ -145,8 +143,10 @@ data:
cluster-pool-ipv4-mask-size: "24"
# Health
agent-health-port: "9876"
enable-health-checking: "true"
enable-endpoint-health-checking: "true"
enable-health-check-nodeport: "true"
# Identity
enable-well-known-identities: "false"
@@ -155,6 +155,7 @@ data:
# Misc
enable-bandwidth-manager: "false"
enable-local-redirect-policy: "false"
# enable-l7-proxy: "false"
policy-audit-mode: "false"
operator-api-serve-addr: "127.0.0.1:9234"
enable-l2-neigh-discovery: "true"
enable-k8s-terminating-endpoint: "true"

9
resources/cilium/daemonset.yaml
View File

@@ -40,7 +40,7 @@ spec:
image: ${cilium_agent_image}
command:
- sh
- -c
- -ec
# The statically linked Go program binary is invoked to avoid any
# dependency on utilities like sh and mount that can be missing on certain
# distros installed on the underlying host. Copy the binary to the
@@ -65,9 +65,6 @@ spec:
command:
- /init-container.sh
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: true
volumeMounts:
- name: sys-fs-bpf
@@ -115,10 +112,6 @@ spec:
command:
- /cni-uninstall.sh
securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
privileged: true
livenessProbe:
exec:

1
resources/cilium/deployment.yaml
View File

@@ -82,4 +82,3 @@ spec:
- name: config
configMap:
name: cilium

4
variables.tf
View File

@@ -62,8 +62,8 @@ variable "container_images" {
default = {
calico = "quay.io/calico/node:v3.21.2"
calico_cni = "quay.io/calico/cni:v3.21.2"
cilium_agent = "quay.io/cilium/cilium:v1.10.5"
cilium_operator = "quay.io/cilium/operator-generic:v1.10.5"
cilium_agent = "quay.io/cilium/cilium:v1.11.0"
cilium_operator = "quay.io/cilium/operator-generic:v1.11.0"
coredns = "k8s.gcr.io/coredns/coredns:v1.8.6"
flannel = "quay.io/coreos/flannel:v0.15.1"
flannel_cni = "quay.io/poseidon/flannel-cni:v0.4.2"