From 7caccec11df57933f75837172b1ee033b69e687c Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 16 May 2024 14:04:00 +0200 Subject: [PATCH 01/25] upd kubernetes (#134) * Allow root login without password * add ephemeral volumes for containerd and kubelet * update kubernetes application --- packages/apps/kubernetes/Chart.yaml | 4 +- .../apps/kubernetes/templates/cluster.yaml | 38 +++++++++++++++++-- packages/apps/versions_map | 3 +- 3 files changed, 38 insertions(+), 7 deletions(-) diff --git a/packages/apps/kubernetes/Chart.yaml b/packages/apps/kubernetes/Chart.yaml index 49dbcc63..2028768d 100644 --- a/packages/apps/kubernetes/Chart.yaml +++ b/packages/apps/kubernetes/Chart.yaml @@ -16,10 +16,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.19.0" +appVersion: "1.19.4" diff --git a/packages/apps/kubernetes/templates/cluster.yaml b/packages/apps/kubernetes/templates/cluster.yaml index 31382c74..19aebd00 100644 --- a/packages/apps/kubernetes/templates/cluster.yaml +++ b/packages/apps/kubernetes/templates/cluster.yaml @@ -74,6 +74,21 @@ metadata: spec: template: spec: + diskSetup: + filesystems: + - device: /dev/vdb + filesystem: xfs + label: containerd + partition: "none" + - device: /dev/vdc + filesystem: xfs + label: kubelet + partition: "none" + mounts: + - ["LABEL=containerd", "/var/lib/containerd"] + - ["LABEL=kubelet", "/var/lib/kubelet"] + preKubeadmCommands: + - sed -i 's|root:x:|root::|' /etc/passwd joinConfiguration: nodeRegistration: kubeletExtraArgs: {} @@ -108,17 +123,32 @@ spec: sockets: 1 devices: disks: - - disk: + - name: system + disk: bus: virtio - name: containervolume + pciAddress: 0000:07:00.0 + - name: containerd + disk: + bus: virtio + pciAddress: 0000:08:00.0 + - name: kubelet + disk: + bus: virtio + pciAddress: 0000:09:00.0 networkInterfaceMultiqueue: true memory: guest: {{ $group.resources.memory }} evictionStrategy: External volumes: - - containerDisk: + - name: system + containerDisk: image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}" - name: containervolume + - name: containerd + emptyDisk: + capacity: 20Gi + - name: kubelet + emptyDisk: + capacity: 20Gi --- apiVersion: cluster.x-k8s.io/v1beta1 kind: MachineDeployment diff --git a/packages/apps/versions_map b/packages/apps/versions_map index c7288590..e0b4f8b4 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -5,7 +5,8 @@ http-cache 0.2.0 HEAD kafka 0.1.0 760f86d2 kafka 0.2.0 HEAD kubernetes 0.1.0 f642698 -kubernetes 0.2.0 HEAD +kubernetes 0.2.0 7cd7de73 +kubernetes 0.3.0 HEAD mysql 0.1.0 f642698 mysql 0.2.0 8b975ff0 mysql 0.3.0 HEAD From 6fc1cc7d5dae72f9dfb5d05362c563956625b127 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 16 May 2024 14:04:10 +0200 Subject: [PATCH 02/25] etcd: Add quota-backend-bytes calculations (#133) --- packages/extra/etcd/Chart.yaml | 2 +- packages/extra/etcd/templates/etcd-cluster.yaml | 11 +++++++++++ packages/extra/versions_map | 3 ++- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/packages/extra/etcd/Chart.yaml b/packages/extra/etcd/Chart.yaml index 54c171e1..3403ec0c 100644 --- a/packages/extra/etcd/Chart.yaml +++ b/packages/extra/etcd/Chart.yaml @@ -3,4 +3,4 @@ name: etcd description: Storage for Kubernetes clusters icon: https://www.svgrepo.com/show/353714/etcd.svg type: application -version: 2.0.0 +version: 2.0.1 diff --git a/packages/extra/etcd/templates/etcd-cluster.yaml b/packages/extra/etcd/templates/etcd-cluster.yaml index a1f05c89..78bc5f00 100644 --- a/packages/extra/etcd/templates/etcd-cluster.yaml +++ b/packages/extra/etcd/templates/etcd-cluster.yaml @@ -1,9 +1,20 @@ +{{- define "calculateQuotaBackendBytes" -}} +{{- $units := dict "Ki" 1024 "Mi" 1048576 "Gi" 1073741824 -}} +{{- $value := regexFind "[0-9.]+" . -}} +{{- $unit := regexFind "[a-zA-Z]+" . -}} +{{- $numericValue := float64 $value -}} +{{- $bytes := mulf $numericValue (index $units $unit) -}} +{{- $result := mulf $bytes 0.95 -}} +{{- printf "%.0f" $result -}} +{{- end -}} --- apiVersion: etcd.aenix.io/v1alpha1 kind: EtcdCluster metadata: name: etcd spec: + options: + quota-backend-bytes: {{ include "calculateQuotaBackendBytes" .Values.size | quote }} replicas: {{ .Values.replicas }} storage: volumeClaimTemplate: diff --git a/packages/extra/versions_map b/packages/extra/versions_map index 551c0a11..82611637 100644 --- a/packages/extra/versions_map +++ b/packages/extra/versions_map @@ -1,4 +1,5 @@ etcd 1.0.0 f7eaab0 -etcd 2.0.0 HEAD +etcd 2.0.0 a6d0f7cf +etcd 2.0.1 HEAD ingress 1.0.0 HEAD monitoring 1.0.0 HEAD From 007d414f0e0767a1a38dd37864ce887317475ceb Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 16 May 2024 16:11:37 +0200 Subject: [PATCH 03/25] Prepare release v0.6.0 (#135) --- manifests/cozystack-installer.yaml | 4 ++-- packages/apps/http-cache/images/nginx-cache.json | 4 ++-- packages/apps/kubernetes/images/ubuntu-container-disk.json | 4 ++-- packages/core/installer/images/cozystack.json | 4 ++-- packages/core/installer/images/cozystack.tag | 2 +- packages/core/installer/images/matchbox.json | 4 ++-- packages/system/dashboard/images/dashboard.json | 4 ++-- packages/system/dashboard/images/dashboard.tag | 2 +- packages/system/dashboard/images/kubeapps-apis.json | 4 ++-- packages/system/dashboard/images/kubeapps-apis.tag | 2 +- 10 files changed, 17 insertions(+), 17 deletions(-) diff --git a/manifests/cozystack-installer.yaml b/manifests/cozystack-installer.yaml index c3186105..742c7723 100644 --- a/manifests/cozystack-installer.yaml +++ b/manifests/cozystack-installer.yaml @@ -68,7 +68,7 @@ spec: serviceAccountName: cozystack containers: - name: cozystack - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.5.0" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.6.0" env: - name: KUBERNETES_SERVICE_HOST value: localhost @@ -87,7 +87,7 @@ spec: fieldRef: fieldPath: metadata.name - name: darkhttpd - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.5.0" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.6.0" command: - /usr/bin/darkhttpd - /cozystack/assets diff --git a/packages/apps/http-cache/images/nginx-cache.json b/packages/apps/http-cache/images/nginx-cache.json index 4314d5f3..e0e737b3 100644 --- a/packages/apps/http-cache/images/nginx-cache.json +++ b/packages/apps/http-cache/images/nginx-cache.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:fbf82620e58e1502946ab32b5b11ada483f06c0c903d6a532a46ab842f913555", - "containerimage.digest": "sha256:f51a4f2f3d9452ead2c77e3a85a29167d08d86e924196b250c5f7d3b8ebf990c" + "containerimage.config.digest": "sha256:aa7a9874c35d7fac8668a623744acbf376b48aed2ef1dc4b3a19054fdcff99cf", + "containerimage.digest": "sha256:d825427d433dda95db40264c6559b44c7bbb726e69279e90fe73fe8fc9265abb" } \ No newline at end of file diff --git a/packages/apps/kubernetes/images/ubuntu-container-disk.json b/packages/apps/kubernetes/images/ubuntu-container-disk.json index 70490771..e7685393 100644 --- a/packages/apps/kubernetes/images/ubuntu-container-disk.json +++ b/packages/apps/kubernetes/images/ubuntu-container-disk.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:77f663f46e86e66579e9025bb96511b9f547470bbd78716c11f9ccc25587c597", - "containerimage.digest": "sha256:e3e5e5ec8732c5d585ccba38fd457dc9bf0b0d9bc394131c19934c2c11b66ec9" + "containerimage.config.digest": "sha256:24cee18d0bc9ed40e741412da86820dd99bdb9ffa4c794c81856725a4a10d86e", + "containerimage.digest": "sha256:6a43369905e0630bb401e1cf73084bbef3060e960756f261676cd3bea4195e9a" } \ No newline at end of file diff --git a/packages/core/installer/images/cozystack.json b/packages/core/installer/images/cozystack.json index ebbb5138..68f3bc54 100644 --- a/packages/core/installer/images/cozystack.json +++ b/packages/core/installer/images/cozystack.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:dac122af1e85d9d668e0a0260d08bb80892f1087b09fb4a4ace2e568257889d2", - "containerimage.digest": "sha256:bc9029117d985748290b88839082b65b28aaa718b694ff686d6cf49971be424f" + "containerimage.config.digest": "sha256:8726af130b534d259ae28a92d84fb866df045765739a59146974d85554e5f188", + "containerimage.digest": "sha256:bc9109b0ed072ecbb143ea74edb9bf8a801b4903e0b849aeaa79488c4a9fb7f2" } \ No newline at end of file diff --git a/packages/core/installer/images/cozystack.tag b/packages/core/installer/images/cozystack.tag index ac4f6a03..27f181d5 100644 --- a/packages/core/installer/images/cozystack.tag +++ b/packages/core/installer/images/cozystack.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/cozystack:v0.5.0 +ghcr.io/aenix-io/cozystack/cozystack:v0.6.0 diff --git a/packages/core/installer/images/matchbox.json b/packages/core/installer/images/matchbox.json index bae7399c..2ff00e73 100644 --- a/packages/core/installer/images/matchbox.json +++ b/packages/core/installer/images/matchbox.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:f731c71f65f96700528d89de985fb0adea867dbe9952b11c146c89eea809986c", - "containerimage.digest": "sha256:701b57ae218d71616432ef9f02f53ba5fcca98057f201b8f5db37d24281f1fae" + "containerimage.config.digest": "sha256:05f6f9ed2e662dde64ace18dbbd69001b39778841bda812d7b6b86e064270e64", + "containerimage.digest": "sha256:56ef77367394c4b073c862974726d882036c9b95d27a56a774987fe3244c35f6" } \ No newline at end of file diff --git a/packages/system/dashboard/images/dashboard.json b/packages/system/dashboard/images/dashboard.json index bd6daef8..fa70d533 100644 --- a/packages/system/dashboard/images/dashboard.json +++ b/packages/system/dashboard/images/dashboard.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:ff8fcec27b1ef0a815cb94bc71e616392e096c0b554e4c1e1c149fec7bbc85d0", - "containerimage.digest": "sha256:ad0ecbe1e5b63f4a9842918014f644e2667327c946a5308dbab530bbcb543b92" + "containerimage.config.digest": "sha256:8126f86f18708a9157206884c63dc9df7f3090a33e05f4a1b94f2a7da7610c74", + "containerimage.digest": "sha256:e1a285812d1ce34bcf5c37db2a5c12ec99887c930b46ac261895dc98f674c066" } \ No newline at end of file diff --git a/packages/system/dashboard/images/dashboard.tag b/packages/system/dashboard/images/dashboard.tag index 3d28767b..7f20ff19 100644 --- a/packages/system/dashboard/images/dashboard.tag +++ b/packages/system/dashboard/images/dashboard.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/dashboard:v0.5.0 +ghcr.io/aenix-io/cozystack/dashboard:v0.6.0 diff --git a/packages/system/dashboard/images/kubeapps-apis.json b/packages/system/dashboard/images/kubeapps-apis.json index 7a39f578..f54437aa 100644 --- a/packages/system/dashboard/images/kubeapps-apis.json +++ b/packages/system/dashboard/images/kubeapps-apis.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:582aef7b5b407698dd98c0491cfd0150303c489a42869ccd92ea08f7e0155a7f", - "containerimage.digest": "sha256:7587d68b7797ccf70c9775a543f28301c71553c2fef6e80d510a181c08021ce8" + "containerimage.config.digest": "sha256:79ac02f0fe54d2007b222efe05596a1bf35b8557e406d018f825a2334bd73249", + "containerimage.digest": "sha256:1c1dbee8e5c4be14e5df36a69be75a6a2907445564379e23b7f8fbea1afc7093" } \ No newline at end of file diff --git a/packages/system/dashboard/images/kubeapps-apis.tag b/packages/system/dashboard/images/kubeapps-apis.tag index 8d97f7de..6cd70ddb 100644 --- a/packages/system/dashboard/images/kubeapps-apis.tag +++ b/packages/system/dashboard/images/kubeapps-apis.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.5.0 +ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.6.0 From 2b00fcf8f986387ddd4209b63ae0802a11d88fea Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 20 May 2024 20:53:19 +0200 Subject: [PATCH 04/25] etcd: enable autocompact and defrag (#137) Signed-off-by: Andrei Kvapil --- packages/extra/etcd/Chart.yaml | 2 +- .../extra/etcd/templates/etcd-cluster.yaml | 3 ++ .../extra/etcd/templates/etcd-defrag.yaml | 31 +++++++++++++++++++ packages/extra/versions_map | 3 +- 4 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 packages/extra/etcd/templates/etcd-defrag.yaml diff --git a/packages/extra/etcd/Chart.yaml b/packages/extra/etcd/Chart.yaml index 3403ec0c..76d426a9 100644 --- a/packages/extra/etcd/Chart.yaml +++ b/packages/extra/etcd/Chart.yaml @@ -3,4 +3,4 @@ name: etcd description: Storage for Kubernetes clusters icon: https://www.svgrepo.com/show/353714/etcd.svg type: application -version: 2.0.1 +version: 2.1.0 diff --git a/packages/extra/etcd/templates/etcd-cluster.yaml b/packages/extra/etcd/templates/etcd-cluster.yaml index 78bc5f00..6edf5616 100644 --- a/packages/extra/etcd/templates/etcd-cluster.yaml +++ b/packages/extra/etcd/templates/etcd-cluster.yaml @@ -15,6 +15,9 @@ metadata: spec: options: quota-backend-bytes: {{ include "calculateQuotaBackendBytes" .Values.size | quote }} + auto-compaction-mode: "periodic" + auto-compaction-retention: "5m" + snapshot-count: "10000" replicas: {{ .Values.replicas }} storage: volumeClaimTemplate: diff --git a/packages/extra/etcd/templates/etcd-defrag.yaml b/packages/extra/etcd/templates/etcd-defrag.yaml new file mode 100644 index 00000000..21a8e514 --- /dev/null +++ b/packages/extra/etcd/templates/etcd-defrag.yaml @@ -0,0 +1,31 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ .Release.Name }}-defrag +spec: + schedule: "0 * * * *" + successfulJobsHistoryLimit: 3 + jobTemplate: + spec: + template: + spec: + containers: + - name: etcd-defrag + image: ghcr.io/ahrtr/etcd-defrag:v0.13.0 + args: + - --endpoints={{ range $i, $e := until (int .Values.replicas) }}{{ if $i }},{{ end }}https://{{ $.Release.Name }}-{{ $i }}.{{ $.Release.Name }}-headless.{{ $.Release.Namespace }}.svc:2379{{ end }} + - --cacert=/etc/etcd/pki/client/cert/ca.crt + - --cert=/etc/etcd/pki/client/cert/tls.crt + - --key=/etc/etcd/pki/client/cert/tls.key + - --cluster + - --defrag-rule + - "dbQuotaUsage > 0.8 || dbSize - dbSizeInUse > 200*1024*1024" + volumeMounts: + - mountPath: /etc/etcd/pki/client/cert + name: client-certificate + readOnly: true + volumes: + - name: client-certificate + secret: + secretName: {{ .Release.Name }}-client-tls + restartPolicy: OnFailure diff --git a/packages/extra/versions_map b/packages/extra/versions_map index 82611637..6bc2b2f9 100644 --- a/packages/extra/versions_map +++ b/packages/extra/versions_map @@ -1,5 +1,6 @@ etcd 1.0.0 f7eaab0 etcd 2.0.0 a6d0f7cf -etcd 2.0.1 HEAD +etcd 2.0.1 6fc1cc7d +etcd 2.1.0 HEAD ingress 1.0.0 HEAD monitoring 1.0.0 HEAD From 6abaf7c0fa73db892271e9f5e9cfeb71b4171f15 Mon Sep 17 00:00:00 2001 From: Marian Koreniuk Date: Tue, 21 May 2024 02:29:34 +0200 Subject: [PATCH 05/25] switched place -maxdepth im Makefiles (#140) --- packages/apps/Makefile | 2 +- packages/extra/Makefile | 2 +- packages/system/Makefile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/apps/Makefile b/packages/apps/Makefile index 22937eff..506c8750 100644 --- a/packages/apps/Makefile +++ b/packages/apps/Makefile @@ -11,7 +11,7 @@ repo: rm -rf "$(TMP)" fix-chartnames: - find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done + find . -maxdepth 2 -name Chart.yaml | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done gen-versions-map: fix-chartnames ../../hack/gen_versions_map.sh diff --git a/packages/extra/Makefile b/packages/extra/Makefile index 6b3ff995..5586c59e 100644 --- a/packages/extra/Makefile +++ b/packages/extra/Makefile @@ -11,7 +11,7 @@ repo: rm -rf "$(TMP)" fix-chartnames: - find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done + find . -maxdepth 2 -name Chart.yaml | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done gen-versions-map: fix-chartnames ../../hack/gen_versions_map.sh diff --git a/packages/system/Makefile b/packages/system/Makefile index 9162b1a4..e40b0bf1 100644 --- a/packages/system/Makefile +++ b/packages/system/Makefile @@ -9,4 +9,4 @@ repo: cd "$(OUT)" && helm repo index . fix-chartnames: - find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: cozy-$$i/" "$$i/Chart.yaml"; done + find . -maxdepth 2 -name Chart.yaml | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: cozy-$$i/" "$$i/Chart.yaml"; done From 4a97e297d43d6c8fbdf85ffe99e3748a0779bffe Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Tue, 21 May 2024 02:29:49 +0200 Subject: [PATCH 06/25] postgres: fix users and roles (#138) Signed-off-by: Andrei Kvapil --- packages/apps/postgres/Chart.yaml | 2 +- packages/apps/postgres/templates/init-script.yaml | 6 +++--- packages/apps/versions_map | 3 ++- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/packages/apps/postgres/Chart.yaml b/packages/apps/postgres/Chart.yaml index c9e8d9f5..89dee73f 100644 --- a/packages/apps/postgres/Chart.yaml +++ b/packages/apps/postgres/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.2.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/packages/apps/postgres/templates/init-script.yaml b/packages/apps/postgres/templates/init-script.yaml index e402fce3..f5f6431c 100644 --- a/packages/apps/postgres/templates/init-script.yaml +++ b/packages/apps/postgres/templates/init-script.yaml @@ -100,13 +100,13 @@ stringData: echo "== assign roles to users" psql -v ON_ERROR_STOP=1 --echo-all <<\EOT {{- range $database, $d := .Values.databases }} - {{- range $user, $u := $.Values.roles }} - {{- if has $user $d.users.admin }} + {{- range $user, $u := $.Values.users }} + {{- if has $user $d.roles.admin }} GRANT {{ $database }}_admin TO {{ $user }}; {{- else }} REVOKE {{ $database }}_admin FROM {{ $user }}; {{- end }} - {{- if has $user $d.users.readonly }} + {{- if has $user $d.roles.readonly }} GRANT {{ $database }}_readonly TO {{ $user }}; {{- else }} REVOKE {{ $database }}_readonly FROM {{ $user }}; diff --git a/packages/apps/versions_map b/packages/apps/versions_map index e0b4f8b4..41965a09 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -11,7 +11,8 @@ mysql 0.1.0 f642698 mysql 0.2.0 8b975ff0 mysql 0.3.0 HEAD postgres 0.1.0 f642698 -postgres 0.2.0 HEAD +postgres 0.2.0 7cd7de73 +postgres 0.2.1 HEAD rabbitmq 0.1.0 f642698 rabbitmq 0.2.0 HEAD redis 0.1.1 f642698 From 6cae6ce8ce3cfe455b01c13d33770a13711808a5 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Tue, 21 May 2024 11:22:37 +0200 Subject: [PATCH 07/25] kubernetes: enable bpf masqurade and tunnel routing (#144) --- packages/apps/kubernetes/Chart.yaml | 2 +- packages/apps/kubernetes/templates/cluster.yaml | 4 ++-- .../apps/kubernetes/templates/helmreleases/cilium.yaml | 8 +++++--- packages/apps/versions_map | 3 ++- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/packages/apps/kubernetes/Chart.yaml b/packages/apps/kubernetes/Chart.yaml index 2028768d..39e8cc22 100644 --- a/packages/apps/kubernetes/Chart.yaml +++ b/packages/apps/kubernetes/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.3.0 +version: 0.4.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/packages/apps/kubernetes/templates/cluster.yaml b/packages/apps/kubernetes/templates/cluster.yaml index 19aebd00..345265fd 100644 --- a/packages/apps/kubernetes/templates/cluster.yaml +++ b/packages/apps/kubernetes/templates/cluster.yaml @@ -55,7 +55,7 @@ spec: className: "{{ $ingress }}" deployment: replicas: 2 - version: 1.29.0 + version: 1.29.4 --- apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1 kind: KubevirtCluster @@ -176,5 +176,5 @@ spec: kind: KubevirtMachineTemplate name: {{ $.Release.Name }}-{{ $groupName }} namespace: default - version: v1.29.0 + version: v1.29.4 {{- end }} diff --git a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml index 96c759fd..14577407 100644 --- a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml @@ -26,7 +26,9 @@ spec: values: cilium: tunnel: disabled - autoDirectNodeRoutes: true + autoDirectNodeRoutes: false + bpf: + masquerade: true cgroup: autoMount: enabled: true @@ -38,9 +40,9 @@ spec: chainingMode: ~ customConf: false configMap: "" - routingMode: native + routingMode: tunnel enableIPv4Masquerade: true - ipv4NativeRoutingCIDR: "10.244.0.0/16" + ipv4NativeRoutingCIDR: "" dependsOn: - name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} diff --git a/packages/apps/versions_map b/packages/apps/versions_map index 41965a09..bd195c9a 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -6,7 +6,8 @@ kafka 0.1.0 760f86d2 kafka 0.2.0 HEAD kubernetes 0.1.0 f642698 kubernetes 0.2.0 7cd7de73 -kubernetes 0.3.0 HEAD +kubernetes 0.3.0 7caccec1 +kubernetes 0.4.0 HEAD mysql 0.1.0 f642698 mysql 0.2.0 8b975ff0 mysql 0.3.0 HEAD From f30f7be6cc0c7e035bd945fc213cf57725ac4abb Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Tue, 21 May 2024 11:22:54 +0200 Subject: [PATCH 08/25] Unhardcode cluster.local domain (#142) Allow using other domains for the cluster Signed-off-by: Andrei Kvapil --- packages/core/fluxcd/Makefile | 7 +++++++ .../fluxcd/charts/flux2/templates/helm-controller.yaml | 2 +- .../flux2/templates/image-automation-controller.yaml | 2 +- .../charts/flux2/templates/image-reflector-controller.yaml | 2 +- .../charts/flux2/templates/kustomize-controller.yaml | 2 +- .../fluxcd/charts/flux2/templates/source-controller.yaml | 4 ++-- packages/system/dashboard/Makefile | 1 + .../charts/kubeapps/templates/kubeappsapis/deployment.yaml | 2 +- 8 files changed, 15 insertions(+), 7 deletions(-) diff --git a/packages/core/fluxcd/Makefile b/packages/core/fluxcd/Makefile index 7f1ddacf..9a44bd14 100644 --- a/packages/core/fluxcd/Makefile +++ b/packages/core/fluxcd/Makefile @@ -11,3 +11,10 @@ apply: diff: helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f- + +update: + rm -rf charts + helm repo add fluxcd-community https://fluxcd-community.github.io/helm-charts + helm repo update fluxcd-community + helm pull fluxcd-community/flux2 --untar --untardir charts + sed -i 's/\.{{ \.Values\.clusterDomain | default "cluster\.local" }}\.//g' `grep -rl '.{{ .Values.clusterDomain | default "cluster.local" }}.' charts` diff --git a/packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml index 0811c156..8177c17c 100644 --- a/packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml +++ b/packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml @@ -44,7 +44,7 @@ spec: - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default" }} {{- end}} {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. + - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc {{- end}} - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - --log-level={{ .Values.logLevel | default "info" }} diff --git a/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml index 47da44d5..40e4da8d 100644 --- a/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml +++ b/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml @@ -43,7 +43,7 @@ spec: - --no-cross-namespace-refs=true {{- end}} {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. + - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc {{- end}} - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - --log-level={{ .Values.logLevel | default "info" }} diff --git a/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml index 58abd295..6be9c3e1 100644 --- a/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml +++ b/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml @@ -43,7 +43,7 @@ spec: - --no-cross-namespace-refs=true {{- end}} {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. + - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc {{- end}} - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - --log-level={{ .Values.logLevel | default "info" }} diff --git a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml index fff3ed0d..6473dbe0 100644 --- a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml +++ b/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml @@ -44,7 +44,7 @@ spec: - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default" }} {{- end}} {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. + - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc {{- end}} - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - --log-level={{ .Values.logLevel | default "info" }} diff --git a/packages/core/fluxcd/charts/flux2/templates/source-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/source-controller.yaml index 46c7cfe8..517b54bd 100644 --- a/packages/core/fluxcd/charts/flux2/templates/source-controller.yaml +++ b/packages/core/fluxcd/charts/flux2/templates/source-controller.yaml @@ -38,14 +38,14 @@ spec: containers: - args: {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. + - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc {{- end}} - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - --log-level={{ .Values.logLevel | default "info" }} - --log-encoding=json - --enable-leader-election - --storage-path=/data - - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. + - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc {{- range .Values.sourceController.container.additionalArgs }} - {{ . }} {{- end}} diff --git a/packages/system/dashboard/Makefile b/packages/system/dashboard/Makefile index 7172288b..f7a66c71 100644 --- a/packages/system/dashboard/Makefile +++ b/packages/system/dashboard/Makefile @@ -14,6 +14,7 @@ update-chart: helm pull bitnami/kubeapps --untar --untardir charts rm -rf charts/kubeapps/charts/postgresql/ ln -s ../../images charts/kubeapps/images + sed -i 's/.cluster.local//g' charts/kubeapps/templates/kubeappsapis/deployment.yaml update-dockerfiles: tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/vmware-tanzu/kubeapps | awk -F'[/^]' 'END{print $$3}') && \ diff --git a/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml index 61d6e603..5791a2f4 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml @@ -133,7 +133,7 @@ spec: # longer-term pass something to the plugins so that the plugins won't need to # know these details). Currently they're used directly by the flux plugin - name: REDIS_ADDR - value: {{ printf "%s-master.%s.svc.cluster.local:6379" (include "kubeapps.redis.fullname" .) .Release.Namespace }} + value: {{ printf "%s-master.%s.svc:6379" (include "kubeapps.redis.fullname" .) .Release.Namespace }} - name: REDIS_PASSWORD valueFrom: secretKeyRef: From 2cf23364b472206bdecb936c34f8910ce35031f2 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Tue, 21 May 2024 11:23:10 +0200 Subject: [PATCH 09/25] kamaji: unhardcode cluster.local domain (#145) Signed-off-by: Andrei Kvapil --- packages/system/kamaji/values.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/packages/system/kamaji/values.yaml b/packages/system/kamaji/values.yaml index 2ef13714..de677502 100644 --- a/packages/system/kamaji/values.yaml +++ b/packages/system/kamaji/values.yaml @@ -1,3 +1,8 @@ kamaji: etcd: deploy: false + + # Fix https://github.com/clastix/kamaji/pull/467 + image: + repository: ghcr.io/kvaps/test + tag: kamaji-v0.6.0-fix From 5f01f30fe7d6cc8e5383e3ff247ff4fe7bdd0045 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 22 May 2024 08:32:06 +0200 Subject: [PATCH 10/25] kubernetes: specify correct dns address (#147) --- packages/apps/kubernetes/templates/cluster.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/apps/kubernetes/templates/cluster.yaml b/packages/apps/kubernetes/templates/cluster.yaml index 345265fd..baa0bc6b 100644 --- a/packages/apps/kubernetes/templates/cluster.yaml +++ b/packages/apps/kubernetes/templates/cluster.yaml @@ -39,7 +39,9 @@ metadata: spec: dataStoreName: "{{ $etcd }}" addons: - coreDNS: {} + coreDNS: + dnsServiceIPs: + - 10.95.0.10 konnectivity: {} kubelet: cgroupfs: systemd From 48df98230f83eff22b767e902928391aa536c3b1 Mon Sep 17 00:00:00 2001 From: Marian Koreniuk Date: Fri, 24 May 2024 12:44:56 +0200 Subject: [PATCH 11/25] change hardcode for talos registry (#148) without this fix can't build project localy --- packages/core/installer/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/core/installer/Makefile b/packages/core/installer/Makefile index 5e96fb48..7cea7ed7 100644 --- a/packages/core/installer/Makefile +++ b/packages/core/installer/Makefile @@ -34,8 +34,8 @@ image-cozystack: image-talos: test -f ../../../_out/assets/installer-amd64.tar || make talos-installer docker load -i ../../../_out/assets/installer-amd64.tar - docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) ghcr.io/aenix-io/cozystack/talos:$(call settag,$(TALOS_VERSION)) - docker push ghcr.io/aenix-io/cozystack/talos:$(call settag,$(TALOS_VERSION)) + docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION)) + docker push $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION)) image-matchbox: test -f ../../../_out/assets/kernel-amd64 || make talos-kernel From 3254cc784ec0f155889152a960027fcd76210a5f Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Fri, 24 May 2024 17:39:38 +0200 Subject: [PATCH 12/25] Update Cilium v1.15.5 Signed-off-by: Andrei Kvapil --- packages/system/cilium/Makefile | 2 +- .../system/cilium/charts/cilium/Chart.yaml | 207 ++-- .../system/cilium/charts/cilium/README.md | 139 ++- .../dashboards/cilium-dashboard.json | 382 +++++-- .../configmap/bootstrap-config.json | 8 + .../hubble/dashboards/hubble-dashboard.json | 2 +- .../dashboards/hubble-dns-namespace.json | 602 ++++++++++ .../hubble-network-overview-namespace.json | 1001 +++++++++++++++++ .../templates/cilium-agent/clusterrole.yaml | 8 + .../cilium-agent/clusterrolebinding.yaml | 4 + .../templates/cilium-agent/daemonset.yaml | 56 +- .../cilium-agent/dashboards-configmap.yaml | 9 +- .../cilium/templates/cilium-agent/role.yaml | 36 + .../templates/cilium-agent/rolebinding.yaml | 35 + .../templates/cilium-agent/service.yaml | 4 + .../cilium-agent/serviceaccount.yaml | 9 +- .../cilium-agent/servicemonitor.yaml | 12 +- .../cilium/templates/cilium-ca-secret.yaml | 2 +- .../cilium/templates/cilium-configmap.yaml | 144 ++- .../templates/cilium-envoy/configmap.yaml | 4 + .../templates/cilium-envoy/daemonset.yaml | 21 +- .../templates/cilium-envoy/service.yaml | 7 +- .../cilium-envoy/serviceaccount.yaml | 9 +- .../cilium-envoy/servicemonitor.yaml | 9 +- .../templates/cilium-flowlog-configmap.yaml | 12 + .../templates/cilium-gateway-api-class.yaml | 4 +- .../templates/cilium-nodeinit/daemonset.yaml | 15 + .../cilium-nodeinit/serviceaccount.yaml | 9 +- .../cilium-operator/clusterrole.yaml | 16 + .../cilium-operator/clusterrolebinding.yaml | 4 + .../cilium-operator/dashboards-configmap.yaml | 9 +- .../templates/cilium-operator/deployment.yaml | 4 + .../cilium-operator/poddisruptionbudget.yaml | 4 + .../templates/cilium-operator/role.yaml | 8 + .../cilium-operator/rolebinding.yaml | 8 + .../templates/cilium-operator/secret.yaml | 4 + .../templates/cilium-operator/service.yaml | 4 + .../cilium-operator/serviceaccount.yaml | 9 +- .../cilium-operator/servicemonitor.yaml | 12 +- .../cilium-preflight/clusterrole.yaml | 8 + .../cilium-preflight/clusterrolebinding.yaml | 4 + .../templates/cilium-preflight/daemonset.yaml | 6 +- .../cilium-preflight/deployment.yaml | 6 +- .../cilium-preflight/poddisruptionbudget.yaml | 4 + .../cilium-preflight/serviceaccount.yaml | 9 +- .../templates/cilium-secrets-namespace.yaml | 34 +- .../clustermesh-apiserver/clusterrole.yaml | 4 + .../clusterrolebinding.yaml | 4 + .../clustermesh-apiserver/deployment.yaml | 112 +- .../metrics-service.yaml | 4 + .../poddisruptionbudget.yaml | 4 + .../clustermesh-apiserver/service.yaml | 9 +- .../clustermesh-apiserver/serviceaccount.yaml | 9 +- .../clustermesh-apiserver/servicemonitor.yaml | 9 +- .../tls-certmanager/admin-secret.yaml | 4 + .../tls-certmanager/client-secret.yaml | 4 + .../tls-certmanager/remote-secret.yaml | 4 + .../tls-certmanager/server-secret.yaml | 4 + .../tls-cronjob/_job-spec.tpl | 10 +- .../tls-cronjob/ca-secret.yaml | 15 - .../tls-cronjob/cronjob.yaml | 4 + .../tls-cronjob/job.yaml | 3 + .../tls-cronjob/role.yaml | 5 +- .../tls-cronjob/rolebinding.yaml | 4 + .../tls-cronjob/serviceaccount.yaml | 9 +- .../tls-helm/_helpers.tpl | 37 - .../tls-helm/admin-secret.yaml | 10 +- .../tls-helm/ca-secret.yaml | 12 - .../tls-helm/client-secret.yaml | 10 +- .../tls-helm/remote-secret.yaml | 10 +- .../tls-helm/server-secret.yaml | 10 +- .../tls-provided/admin-secret.yaml | 6 +- .../tls-provided/ca-secret.yaml | 12 - .../tls-provided/client-secret.yaml | 6 +- .../tls-provided/remote-secret.yaml | 6 +- .../tls-provided/server-secret.yaml | 6 +- .../users-configmap.yaml | 4 + .../templates/clustermesh-config/_helpers.tpl | 5 +- .../clustermesh-secret.yaml | 16 +- .../kvstoremesh-secret.yaml | 11 +- .../cilium-etcd-operator-clusterrole.yaml | 4 + ...lium-etcd-operator-clusterrolebinding.yaml | 4 + .../cilium-etcd-operator-deployment.yaml | 4 + .../cilium-etcd-operator-serviceaccount.yaml | 9 +- .../etcd-operator-clusterrole.yaml | 4 + .../etcd-operator-clusterrolebinding.yaml | 4 + .../etcd-operator-serviceaccount.yaml | 9 +- .../etcd-operator/poddisruptionbudget.yaml | 4 + .../templates/hubble-relay/configmap.yaml | 4 + .../templates/hubble-relay/deployment.yaml | 41 +- .../hubble-relay/metrics-service.yaml | 4 + .../hubble-relay/poddisruptionbudget.yaml | 4 + .../templates/hubble-relay/service.yaml | 4 + .../hubble-relay/serviceaccount.yaml | 9 +- .../hubble-relay/servicemonitor.yaml | 9 +- .../cilium/templates/hubble-ui/_nginx.tpl | 7 + .../templates/hubble-ui/clusterrole.yaml | 4 + .../hubble-ui/clusterrolebinding.yaml | 4 + .../cilium/templates/hubble-ui/configmap.yaml | 4 + .../templates/hubble-ui/deployment.yaml | 26 +- .../cilium/templates/hubble-ui/ingress.yaml | 9 +- .../hubble-ui/poddisruptionbudget.yaml | 4 + .../cilium/templates/hubble-ui/service.yaml | 9 +- .../templates/hubble-ui/serviceaccount.yaml | 9 +- .../hubble/dashboards-configmap.yaml | 9 +- .../templates/hubble/metrics-service.yaml | 3 + .../cilium/templates/hubble/peer-service.yaml | 4 + .../templates/hubble/servicemonitor.yaml | 12 +- .../tls-certmanager/relay-client-secret.yaml | 4 + .../tls-certmanager/relay-server-secret.yaml | 4 + .../hubble/tls-certmanager/server-secret.yaml | 4 + .../tls-certmanager/ui-client-certs.yaml | 4 + .../hubble/tls-cronjob/_job-spec.tpl | 4 + .../hubble/tls-cronjob/clusterrole.yaml | 4 + .../tls-cronjob/clusterrolebinding.yaml | 4 + .../templates/hubble/tls-cronjob/cronjob.yaml | 9 +- .../templates/hubble/tls-cronjob/job.yaml | 3 + .../hubble/tls-cronjob/serviceaccount.yaml | 9 +- .../hubble/tls-helm/relay-client-secret.yaml | 4 + .../hubble/tls-helm/relay-server-secret.yaml | 4 + .../hubble/tls-helm/server-secret.yaml | 4 + .../hubble/tls-helm/ui-client-certs.yaml | 4 + .../tls-provided/relay-client-secret.yaml | 4 + .../tls-provided/relay-server-secret.yaml | 4 + .../hubble/tls-provided/server-secret.yaml | 4 + .../hubble/tls-provided/ui-client-certs.yaml | 4 + .../templates/spire/agent/clusterrole.yaml | 4 + .../spire/agent/clusterrolebinding.yaml | 4 + .../templates/spire/agent/configmap.yaml | 4 + .../templates/spire/agent/daemonset.yaml | 17 +- .../templates/spire/agent/serviceaccount.yaml | 4 + .../templates/spire/bundle-configmap.yaml | 4 + .../cilium/templates/spire/namespace.yaml | 6 +- .../templates/spire/server/clusterrole.yaml | 4 + .../spire/server/clusterrolebinding.yaml | 4 + .../templates/spire/server/configmap.yaml | 4 + .../cilium/templates/spire/server/role.yaml | 4 + .../templates/spire/server/rolebinding.yaml | 8 + .../templates/spire/server/service.yaml | 9 +- .../spire/server/serviceaccount.yaml | 4 + .../templates/spire/server/statefulset.yaml | 25 +- .../charts/cilium/templates/validate.yaml | 27 + .../system/cilium/charts/cilium/values.yaml | 466 ++++++-- .../cilium/charts/cilium/values.yaml.tmpl | 432 +++++-- 144 files changed, 3921 insertions(+), 698 deletions(-) create mode 100644 packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dns-namespace.json create mode 100644 packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-network-overview-namespace.json create mode 100644 packages/system/cilium/charts/cilium/templates/cilium-flowlog-configmap.yaml delete mode 100644 packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/ca-secret.yaml delete mode 100644 packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/_helpers.tpl delete mode 100644 packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/ca-secret.yaml delete mode 100644 packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/ca-secret.yaml diff --git a/packages/system/cilium/Makefile b/packages/system/cilium/Makefile index 45287aba..038b767c 100644 --- a/packages/system/cilium/Makefile +++ b/packages/system/cilium/Makefile @@ -7,6 +7,6 @@ update: rm -rf charts helm repo add cilium https://helm.cilium.io/ helm repo update cilium - helm pull cilium/cilium --untar --untardir charts --version 1.14 + helm pull cilium/cilium --untar --untardir charts --version 1.15 sed -i -e '/Used in iptables/d' -e '/SYS_MODULE/d' charts/cilium/values.yaml patch -p3 --no-backup-if-mismatch < patches/fix-cgroups.patch diff --git a/packages/system/cilium/charts/cilium/Chart.yaml b/packages/system/cilium/charts/cilium/Chart.yaml index 1ce003b3..f393c004 100644 --- a/packages/system/cilium/charts/cilium/Chart.yaml +++ b/packages/system/cilium/charts/cilium/Chart.yaml @@ -1,131 +1,88 @@ annotations: - artifacthub.io/crds: | - - kind: CiliumNetworkPolicy - version: v2 - name: ciliumnetworkpolicies.cilium.io - displayName: Cilium Network Policy - description: | - Cilium Network Policies provide additional functionality beyond what - is provided by standard Kubernetes NetworkPolicy such as the ability - to allow traffic based on FQDNs, or to filter at Layer 7. - - kind: CiliumClusterwideNetworkPolicy - version: v2 - name: ciliumclusterwidenetworkpolicies.cilium.io - displayName: Cilium Clusterwide Network Policy - description: | - Cilium Clusterwide Network Policies support configuring network traffic - policiies across the entire cluster, including applying node firewalls. - - kind: CiliumExternalWorkload - version: v2 - name: ciliumexternalworkloads.cilium.io - displayName: Cilium External Workload - description: | - Cilium External Workload supports configuring the ability for external - non-Kubernetes workloads to join the cluster. - - kind: CiliumLocalRedirectPolicy - version: v2 - name: ciliumlocalredirectpolicies.cilium.io - displayName: Cilium Local Redirect Policy - description: | - Cilium Local Redirect Policy allows local redirects to be configured - within a node to support use cases like Node-Local DNS or KIAM. - - kind: CiliumNode - version: v2 - name: ciliumnodes.cilium.io - displayName: Cilium Node - description: | - Cilium Node represents a node managed by Cilium. It contains a - specification to control various node specific configuration aspects - and a status section to represent the status of the node. - - kind: CiliumIdentity - version: v2 - name: ciliumidentities.cilium.io - displayName: Cilium Identity - description: | - Cilium Identity allows introspection into security identities that - Cilium allocates which identify sets of labels that are assigned to - individual endpoints in the cluster. - - kind: CiliumEndpoint - version: v2 - name: ciliumendpoints.cilium.io - displayName: Cilium Endpoint - description: | - Cilium Endpoint represents the status of individual pods or nodes in - the cluster which are managed by Cilium, including enforcement status, - IP addressing and whether the networking is succesfully operational. - - kind: CiliumEndpointSlice - version: v2alpha1 - name: ciliumendpointslices.cilium.io - displayName: Cilium Endpoint Slice - description: | - Cilium Endpoint Slice represents the status of groups of pods or nodes - in the cluster which are managed by Cilium, including enforcement status, - IP addressing and whether the networking is succesfully operational. - - kind: CiliumEgressGatewayPolicy - version: v2 - name: ciliumegressgatewaypolicies.cilium.io - displayName: Cilium Egress Gateway Policy - description: | - Cilium Egress Gateway Policy provides control over the way that traffic - leaves the cluster and which source addresses to use for that traffic. - - kind: CiliumClusterwideEnvoyConfig - version: v2 - name: ciliumclusterwideenvoyconfigs.cilium.io - displayName: Cilium Clusterwide Envoy Config - description: | - Cilium Clusterwide Envoy Config specifies Envoy resources and K8s service mappings - to be provisioned into Cilium host proxy instances in cluster context. - - kind: CiliumEnvoyConfig - version: v2 - name: ciliumenvoyconfigs.cilium.io - displayName: Cilium Envoy Config - description: | - Cilium Envoy Config specifies Envoy resources and K8s service mappings - to be provisioned into Cilium host proxy instances in namespace context. - - kind: CiliumBGPPeeringPolicy - version: v2alpha1 - name: ciliumbgppeeringpolicies.cilium.io - displayName: Cilium BGP Peering Policy - description: | - Cilium BGP Peering Policy instructs Cilium to create specific BGP peering - configurations. - - kind: CiliumLoadBalancerIPPool - version: v2alpha1 - name: ciliumloadbalancerippools.cilium.io - displayName: Cilium Load Balancer IP Pool - description: | - Defining a Cilium Load Balancer IP Pool instructs Cilium to assign IPs to LoadBalancer Services. - - kind: CiliumNodeConfig - version: v2alpha1 - name: ciliumnodeconfigs.cilium.io - displayName: Cilium Node Configuration - description: | - CiliumNodeConfig is a list of configuration key-value pairs. It is applied to - nodes indicated by a label selector. - - kind: CiliumCIDRGroup - version: v2alpha1 - name: ciliumcidrgroups.cilium.io - displayName: Cilium CIDR Group - description: | - CiliumCIDRGroup is a list of CIDRs that can be referenced as a single entity from CiliumNetworkPolicies. - - kind: CiliumL2AnnouncementPolicy - version: v2alpha1 - name: ciliuml2announcementpolicies.cilium.io - displayName: Cilium L2 Announcement Policy - description: | - CiliumL2AnnouncementPolicy is a policy which determines which service IPs will be announced to - the local area network, by which nodes, and via which interfaces. - - kind: CiliumPodIPPool - version: v2alpha1 - name: ciliumpodippools.cilium.io - displayName: Cilium Pod IP Pool - description: | - CiliumPodIPPool defines an IP pool that can be used for pooled IPAM (i.e. the multi-pool IPAM mode). + artifacthub.io/crds: "- kind: CiliumNetworkPolicy\n version: v2\n name: ciliumnetworkpolicies.cilium.io\n + \ displayName: Cilium Network Policy\n description: |\n Cilium Network Policies + provide additional functionality beyond what\n is provided by standard Kubernetes + NetworkPolicy such as the ability\n to allow traffic based on FQDNs, or to + filter at Layer 7.\n- kind: CiliumClusterwideNetworkPolicy\n version: v2\n name: + ciliumclusterwidenetworkpolicies.cilium.io\n displayName: Cilium Clusterwide + Network Policy\n description: |\n Cilium Clusterwide Network Policies support + configuring network traffic\n policiies across the entire cluster, including + applying node firewalls.\n- kind: CiliumExternalWorkload\n version: v2\n name: + ciliumexternalworkloads.cilium.io\n displayName: Cilium External Workload\n description: + |\n Cilium External Workload supports configuring the ability for external\n + \ non-Kubernetes workloads to join the cluster.\n- kind: CiliumLocalRedirectPolicy\n + \ version: v2\n name: ciliumlocalredirectpolicies.cilium.io\n displayName: Cilium + Local Redirect Policy\n description: |\n Cilium Local Redirect Policy allows + local redirects to be configured\n within a node to support use cases like + Node-Local DNS or KIAM.\n- kind: CiliumNode\n version: v2\n name: ciliumnodes.cilium.io\n + \ displayName: Cilium Node\n description: |\n Cilium Node represents a node + managed by Cilium. It contains a\n specification to control various node specific + configuration aspects\n and a status section to represent the status of the + node.\n- kind: CiliumIdentity\n version: v2\n name: ciliumidentities.cilium.io\n + \ displayName: Cilium Identity\n description: |\n Cilium Identity allows introspection + into security identities that\n Cilium allocates which identify sets of labels + that are assigned to\n individual endpoints in the cluster.\n- kind: CiliumEndpoint\n + \ version: v2\n name: ciliumendpoints.cilium.io\n displayName: Cilium Endpoint\n + \ description: |\n Cilium Endpoint represents the status of individual pods + or nodes in\n the cluster which are managed by Cilium, including enforcement + status,\n IP addressing and whether the networking is successfully operational.\n- + kind: CiliumEndpointSlice\n version: v2alpha1\n name: ciliumendpointslices.cilium.io\n + \ displayName: Cilium Endpoint Slice\n description: |\n Cilium Endpoint Slice + represents the status of groups of pods or nodes\n in the cluster which are + managed by Cilium, including enforcement status,\n IP addressing and whether + the networking is successfully operational.\n- kind: CiliumEgressGatewayPolicy\n + \ version: v2\n name: ciliumegressgatewaypolicies.cilium.io\n displayName: Cilium + Egress Gateway Policy\n description: |\n Cilium Egress Gateway Policy provides + control over the way that traffic\n leaves the cluster and which source addresses + to use for that traffic.\n- kind: CiliumClusterwideEnvoyConfig\n version: v2\n + \ name: ciliumclusterwideenvoyconfigs.cilium.io\n displayName: Cilium Clusterwide + Envoy Config\n description: |\n Cilium Clusterwide Envoy Config specifies + Envoy resources and K8s service mappings\n to be provisioned into Cilium host + proxy instances in cluster context.\n- kind: CiliumEnvoyConfig\n version: v2\n + \ name: ciliumenvoyconfigs.cilium.io\n displayName: Cilium Envoy Config\n description: + |\n Cilium Envoy Config specifies Envoy resources and K8s service mappings\n + \ to be provisioned into Cilium host proxy instances in namespace context.\n- + kind: CiliumBGPPeeringPolicy\n version: v2alpha1\n name: ciliumbgppeeringpolicies.cilium.io\n + \ displayName: Cilium BGP Peering Policy\n description: |\n Cilium BGP Peering + Policy instructs Cilium to create specific BGP peering\n configurations.\n- + kind: CiliumBGPClusterConfig\n version: v2alpha1\n name: ciliumbgpclusterconfigs.cilium.io\n + \ displayName: Cilium BGP Cluster Config\n description: |\n Cilium BGP Cluster + Config instructs Cilium operator to create specific BGP cluster\n configurations.\n- + kind: CiliumBGPPeerConfig\n version: v2alpha1\n name: ciliumbgppeerconfigs.cilium.io\n + \ displayName: Cilium BGP Peer Config\n description: |\n CiliumBGPPeerConfig + is a common set of BGP peer configurations. It can be referenced \n by multiple + peers from CiliumBGPClusterConfig.\n- kind: CiliumBGPAdvertisement\n version: + v2alpha1\n name: ciliumbgpadvertisements.cilium.io\n displayName: Cilium BGP + Advertisement\n description: |\n CiliumBGPAdvertisement is used to define + source of BGP advertisement as well as BGP attributes \n to be advertised with + those prefixes.\n- kind: CiliumBGPNodeConfig\n version: v2alpha1\n name: ciliumbgpnodeconfigs.cilium.io\n + \ displayName: Cilium BGP Node Config\n description: |\n CiliumBGPNodeConfig + is read only node specific BGP configuration. It is constructed by Cilium operator.\n + \ It will also contain node local BGP state information.\n- kind: CiliumBGPNodeConfigOverride\n + \ version: v2alpha1\n name: ciliumbgpnodeconfigoverrides.cilium.io\n displayName: + Cilium BGP Node Config Override\n description: |\n CiliumBGPNodeConfigOverride + can be used to override node specific BGP configuration.\n- kind: CiliumLoadBalancerIPPool\n + \ version: v2alpha1\n name: ciliumloadbalancerippools.cilium.io\n displayName: + Cilium Load Balancer IP Pool\n description: |\n Defining a Cilium Load Balancer + IP Pool instructs Cilium to assign IPs to LoadBalancer Services.\n- kind: CiliumNodeConfig\n + \ version: v2alpha1\n name: ciliumnodeconfigs.cilium.io\n displayName: Cilium + Node Configuration\n description: |\n CiliumNodeConfig is a list of configuration + key-value pairs. It is applied to\n nodes indicated by a label selector.\n- + kind: CiliumCIDRGroup\n version: v2alpha1\n name: ciliumcidrgroups.cilium.io\n + \ displayName: Cilium CIDR Group\n description: |\n CiliumCIDRGroup is a list + of CIDRs that can be referenced as a single entity from CiliumNetworkPolicies.\n- + kind: CiliumL2AnnouncementPolicy\n version: v2alpha1\n name: ciliuml2announcementpolicies.cilium.io\n + \ displayName: Cilium L2 Announcement Policy\n description: |\n CiliumL2AnnouncementPolicy + is a policy which determines which service IPs will be announced to\n the local + area network, by which nodes, and via which interfaces.\n- kind: CiliumPodIPPool\n + \ version: v2alpha1\n name: ciliumpodippools.cilium.io\n displayName: Cilium + Pod IP Pool\n description: |\n CiliumPodIPPool defines an IP pool that can + be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n" apiVersion: v2 -appVersion: 1.14.10 +appVersion: 1.15.5 description: eBPF-based Networking, Security, and Observability home: https://cilium.io/ -icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.14/Documentation/images/logo-solo.svg +icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg keywords: - BPF - eBPF @@ -138,4 +95,4 @@ kubeVersion: '>= 1.16.0-0' name: cilium sources: - https://github.com/cilium/cilium -version: 1.14.10 +version: 1.15.5 diff --git a/packages/system/cilium/charts/cilium/README.md b/packages/system/cilium/charts/cilium/README.md index 35c70b10..98e52a92 100644 --- a/packages/system/cilium/charts/cilium/README.md +++ b/packages/system/cilium/charts/cilium/README.md @@ -1,6 +1,6 @@ # cilium -![Version: 1.14.10](https://img.shields.io/badge/Version-1.14.10-informational?style=flat-square) ![AppVersion: 1.14.10](https://img.shields.io/badge/AppVersion-1.14.10-informational?style=flat-square) +![Version: 1.15.5](https://img.shields.io/badge/Version-1.15.5-informational?style=flat-square) ![AppVersion: 1.15.5](https://img.shields.io/badge/AppVersion-1.15.5-informational?style=flat-square) Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as @@ -60,16 +60,20 @@ contributors across the globe, there is almost always someone available to help. | aksbyocni.enabled | bool | `false` | Enable AKS BYOCNI integration. Note that this is incompatible with AKS clusters not created in BYOCNI mode: use Azure integration (`azure.enabled`) instead. | | alibabacloud.enabled | bool | `false` | Enable AlibabaCloud ENI integration | | annotateK8sNode | bool | `false` | Annotate k8s node upon initialization with Cilium's metadata. | +| annotations | object | `{}` | Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent) | +| apiRateLimit | string | `nil` | The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API | | authentication.enabled | bool | `true` | Enable authentication processing and garbage collection. Note that if disabled, policy enforcement will still block requests that require authentication. But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed. | | authentication.gcInterval | string | `"5m0s"` | Interval for garbage collection of auth map entries. | +| authentication.mutual.connectTimeout | string | `"5s"` | Timeout for connecting to the remote node TCP socket | | authentication.mutual.port | int | `4250` | Port on the agent where mutual authentication handshakes between agents will be performed | | authentication.mutual.spire.adminSocketPath | string | `"/run/spire/sockets/admin.sock"` | SPIRE socket path where the SPIRE delegated api agent is listening | | authentication.mutual.spire.agentSocketPath | string | `"/run/spire/sockets/agent/agent.sock"` | SPIRE socket path where the SPIRE workload agent is listening. Applies to both the Cilium Agent and Operator | +| authentication.mutual.spire.annotations | object | `{}` | Annotations to be added to all top-level spire objects (resources under templates/spire) | | authentication.mutual.spire.connectionTimeout | string | `"30s"` | SPIRE connection timeout | | authentication.mutual.spire.enabled | bool | `false` | Enable SPIRE integration (beta) | | authentication.mutual.spire.install.agent.affinity | object | `{}` | SPIRE agent affinity configuration | | authentication.mutual.spire.install.agent.annotations | object | `{}` | SPIRE agent annotations | -| authentication.mutual.spire.install.agent.image | string | `"ghcr.io/spiffe/spire-agent:1.6.3@sha256:8eef9857bf223181ecef10d9bbcd2f7838f3689e9bd2445bede35066a732e823"` | SPIRE agent image | +| authentication.mutual.spire.install.agent.image | object | `{"digest":"sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.5","useDigest":true}` | SPIRE agent image | | authentication.mutual.spire.install.agent.labels | object | `{}` | SPIRE agent labels | | authentication.mutual.spire.install.agent.nodeSelector | object | `{}` | SPIRE agent nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | authentication.mutual.spire.install.agent.podSecurityContext | object | `{}` | Security context to be added to spire agent pods. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod | @@ -78,6 +82,8 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.agent.skipKubeletVerification | bool | `true` | SPIRE Workload Attestor kubelet verification. | | authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true | +| authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. | +| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server | | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into | | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration | | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations | @@ -87,10 +93,12 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.server.dataStorage.enabled | bool | `true` | Enable SPIRE server data storage | | authentication.mutual.spire.install.server.dataStorage.size | string | `"1Gi"` | Size of the SPIRE server data storage | | authentication.mutual.spire.install.server.dataStorage.storageClass | string | `nil` | StorageClass of the SPIRE server data storage | -| authentication.mutual.spire.install.server.image | string | `"ghcr.io/spiffe/spire-server:1.6.3@sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f"` | SPIRE server image | +| authentication.mutual.spire.install.server.image | object | `{"digest":"sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.5","useDigest":true}` | SPIRE server image | | authentication.mutual.spire.install.server.initContainers | list | `[]` | SPIRE server init containers | | authentication.mutual.spire.install.server.labels | object | `{}` | SPIRE server labels | | authentication.mutual.spire.install.server.nodeSelector | object | `{}` | SPIRE server nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | +| authentication.mutual.spire.install.server.podSecurityContext | object | `{}` | Security context to be added to spire server pods. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod | +| authentication.mutual.spire.install.server.securityContext | object | `{}` | Security context to be added to spire server containers. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container | | authentication.mutual.spire.install.server.service.annotations | object | `{}` | Annotations to be added to the SPIRE server service | | authentication.mutual.spire.install.server.service.labels | object | `{}` | Labels to be added to the SPIRE server service | | authentication.mutual.spire.install.server.service.type | string | `"ClusterIP"` | Service type for the SPIRE server service | @@ -109,8 +117,11 @@ contributors across the globe, there is almost always someone available to help. | bgp.announce.loadbalancerIP | bool | `false` | Enable allocation and announcement of service LoadBalancer IPs | | bgp.announce.podCIDR | bool | `false` | Enable announcement of node pod CIDR | | bgp.enabled | bool | `false` | Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside cilium-agent and cilium-operator | -| bgpControlPlane | object | `{"enabled":false}` | This feature set enables virtual BGP routers to be created via CiliumBGPPeeringPolicy CRDs. | +| bgpControlPlane | object | `{"enabled":false,"secretsNamespace":{"create":false,"name":"kube-system"}}` | This feature set enables virtual BGP routers to be created via CiliumBGPPeeringPolicy CRDs. | | bgpControlPlane.enabled | bool | `false` | Enables the BGP control plane. | +| bgpControlPlane.secretsNamespace | object | `{"create":false,"name":"kube-system"}` | SecretsNamespace is the namespace which BGP support will retrieve secrets from. | +| bgpControlPlane.secretsNamespace.create | bool | `false` | Create secrets namespace for BGP secrets. | +| bgpControlPlane.secretsNamespace.name | string | `"kube-system"` | The name of the secret namespace to which Cilium agents are given read access | | bpf.authMapMax | int | `524288` | Configure the maximum number of entries in auth map. | | bpf.autoMount.enabled | bool | `true` | Enable automatic mount of BPF filesystem When `autoMount` is enabled, the BPF filesystem is mounted at `bpf.root` path on the underlying host and inside the cilium agent pod. If users disable `autoMount`, it's expected that users have mounted bpffs filesystem at the specified `bpf.root` volume, and then the volume will be mounted inside the cilium agent pod at the same path. | | bpf.ctAnyMax | int | `262144` | Configure the maximum number of entries for the non-TCP connection tracking table. | @@ -125,13 +136,15 @@ contributors across the globe, there is almost always someone available to help. | bpf.monitorInterval | string | `"5s"` | Configure the typical time between monitor notifications for active connections. | | bpf.natMax | int | `524288` | Configure the maximum number of entries for the NAT table. | | bpf.neighMax | int | `524288` | Configure the maximum number of entries for the neighbor table. | -| bpf.policyMapMax | int | `16384` | Configure the maximum number of entries in endpoint policy map (per endpoint). | +| bpf.nodeMapMax | int | `nil` | Configures the maximum number of entries for the node table. | +| bpf.policyMapMax | int | `16384` | Configure the maximum number of entries in endpoint policy map (per endpoint). @schema type: [null, integer] @schema | | bpf.preallocateMaps | bool | `false` | Enables pre-allocation of eBPF map values. This increases memory usage but can reduce latency. | | bpf.root | string | `"/sys/fs/bpf"` | Configure the mount point for the BPF filesystem | | bpf.tproxy | bool | `false` | Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. | | bpf.vlanBypass | list | `[]` | Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. | | bpfClockProbe | bool | `false` | Enable BPF clock source probing for more efficient tick retrieval. | -| certgen | object | `{"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:5586de5019abc104637a9818a626956cd9b1e827327b958186ec412ae3d5dea6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.11","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. | +| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:bbc5e65e9dc65bc6b58967fe536b7f3b54e12332908aeb0a96a36866b4372b4e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.12","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. | +| certgen.affinity | object | `{}` | Affinity for certgen | | certgen.annotations | object | `{"cronJob":{},"job":{}}` | Annotations to be added to the hubble-certgen initial Job and CronJob | | certgen.extraVolumeMounts | list | `[]` | Additional certgen volumeMounts. | | certgen.extraVolumes | list | `[]` | Additional certgen volumes. | @@ -146,25 +159,29 @@ contributors across the globe, there is almost always someone available to help. | cleanState | bool | `false` | Clean all local Cilium state from the initContainer of the cilium-agent DaemonSet. Implies cleanBpfState: true. WARNING: Use with care! | | cluster.id | int | `0` | Unique ID of the cluster. Must be unique across all connected clusters and in the range of 1 to 255. Only required for Cluster Mesh, may be 0 if Cluster Mesh is not used. | | cluster.name | string | `"default"` | Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. | +| clustermesh.annotations | object | `{}` | Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config) | | clustermesh.apiserver.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"clustermesh-apiserver"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for clustermesh.apiserver | -| clustermesh.apiserver.etcd.image | object | `{"digest":"sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.4","useDigest":true}` | Clustermesh API server etcd image. | +| clustermesh.apiserver.etcd.init.extraArgs | list | `[]` | Additional arguments to `clustermesh-apiserver etcdinit`. | +| clustermesh.apiserver.etcd.init.extraEnv | list | `[]` | Additional environment variables to `clustermesh-apiserver etcdinit`. | | clustermesh.apiserver.etcd.init.resources | object | `{}` | Specifies the resources for etcd init container in the apiserver | +| clustermesh.apiserver.etcd.lifecycle | object | `{}` | lifecycle setting for the etcd container | | clustermesh.apiserver.etcd.resources | object | `{}` | Specifies the resources for etcd container in the apiserver | | clustermesh.apiserver.etcd.securityContext | object | `{}` | Security context to be added to clustermesh-apiserver etcd containers | | clustermesh.apiserver.extraArgs | list | `[]` | Additional clustermesh-apiserver arguments. | | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. | | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | -| clustermesh.apiserver.image | object | `{"digest":"sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.10","useDigest":true}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"sha256:914549caf4376a844b5e7696019182dd2a655b89d6a3cad10f9d0f9821759fd7","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.5","useDigest":true}` | Clustermesh API server image. | | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. | | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. | | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. | | clustermesh.apiserver.kvstoremesh.extraVolumeMounts | list | `[]` | Additional KVStoreMesh volumeMounts. | -| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"sha256:871ec4e3b07401d90b4433c7e2b7210b9b0c5f1a536caab3d0281a5faeea5070","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.10","useDigest":true}` | KVStoreMesh image. | +| clustermesh.apiserver.kvstoremesh.lifecycle | object | `{}` | lifecycle setting for the KVStoreMesh container | | clustermesh.apiserver.kvstoremesh.resources | object | `{}` | Resource requests and limits for the KVStoreMesh container | | clustermesh.apiserver.kvstoremesh.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | KVStoreMesh Security context | +| clustermesh.apiserver.lifecycle | object | `{}` | lifecycle setting for the apiserver container | | clustermesh.apiserver.metrics.enabled | bool | `true` | Enables exporting apiserver metrics in OpenMetrics format. | -| clustermesh.apiserver.metrics.etcd.enabled | bool | `false` | Enables exporting etcd metrics in OpenMetrics format. | +| clustermesh.apiserver.metrics.etcd.enabled | bool | `true` | Enables exporting etcd metrics in OpenMetrics format. | | clustermesh.apiserver.metrics.etcd.mode | string | `"basic"` | Set level of detail for etcd metrics; specify 'extensive' to include server side gRPC histogram metrics. | | clustermesh.apiserver.metrics.etcd.port | int | `9963` | Configure the port the etcd metric server listens on. | | clustermesh.apiserver.metrics.kvstoremesh.enabled | bool | `true` | Enables exporting KVStoreMesh metrics in OpenMetrics format. | @@ -198,15 +215,13 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.service.internalTrafficPolicy | string | `nil` | The internalTrafficPolicy of service used for apiserver access. | | clustermesh.apiserver.service.nodePort | int | `32379` | Optional port to use as the node port for apiserver access. WARNING: make sure to configure a different NodePort in each cluster if kube-proxy replacement is enabled, as Cilium is currently affected by a known bug (#24692) when NodePorts are handled by the KPR implementation. If a service with the same NodePort exists both in the local and the remote cluster, all traffic originating from inside the cluster and targeting the corresponding NodePort will be redirected to a local backend, regardless of whether the destination node belongs to the local or the remote cluster. | | clustermesh.apiserver.service.type | string | `"NodePort"` | The type of service used for apiserver access. | +| clustermesh.apiserver.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for the clustermesh-apiserver deployment | | clustermesh.apiserver.tls.admin | object | `{"cert":"","key":""}` | base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key. Used if 'auto' is not enabled. | | clustermesh.apiserver.tls.authMode | string | `"legacy"` | Configure the clustermesh authentication mode. Supported values: - legacy: All clusters access remote clustermesh instances with the same username (i.e., remote). The "remote" certificate must be generated with CN=remote if provided manually. - migration: Intermediate mode required to upgrade from legacy to cluster (and vice versa) with no disruption. Specifically, it enables the creation of the per-cluster usernames, while still using the common one for authentication. The "remote" certificate must be generated with CN=remote if provided manually (same as legacy). - cluster: Each cluster accesses remote etcd instances with a username depending on the local cluster name (i.e., remote-). The "remote" certificate must be generated with CN=remote- if provided manually. Cluster mode is meaningful only when the same CA is shared across all clusters part of the mesh. | | clustermesh.apiserver.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm"}` | Configure automatic TLS certificates generation. A Kubernetes CronJob is used the generate any certificates not provided by the user at installation time. | | clustermesh.apiserver.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. | | clustermesh.apiserver.tls.auto.certValidityDuration | int | `1095` | Generated certificates validity duration in days. | | clustermesh.apiserver.tls.auto.enabled | bool | `true` | When set to true, automatically generate a CA and certificates to enable mTLS between clustermesh-apiserver and external workload instances. If set to false, the certs to be provided by setting appropriate values below. | -| clustermesh.apiserver.tls.ca | object | `{"cert":"","key":""}` | Deprecated in favor of tls.ca. To be removed in 1.15. base64 encoded PEM values for the ExternalWorkload CA certificate and private key. | -| clustermesh.apiserver.tls.ca.cert | string | `""` | Deprecated in favor of tls.ca.cert. To be removed in 1.15. Optional CA cert. If it is provided, it will be used by the 'cronJob' method to generate all other certificates. Otherwise, an ephemeral CA is generated. | -| clustermesh.apiserver.tls.ca.key | string | `""` | Deprecated in favor of tls.ca.key. To be removed in 1.15. Optional CA private key. If it is provided, it will be used by the 'cronJob' method to generate all other certificates. Otherwise, an ephemeral CA is generated. | | clustermesh.apiserver.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values for the clustermesh-apiserver client certificate and private key. Used if 'auto' is not enabled. | | clustermesh.apiserver.tls.remote | object | `{"cert":"","key":""}` | base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key. Used if 'auto' is not enabled. | | clustermesh.apiserver.tls.server | object | `{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}` | base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. Used if 'auto' is not enabled. | @@ -219,6 +234,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.config.clusters | list | `[]` | List of clusters to be peered in the mesh. | | clustermesh.config.domain | string | `"mesh.cilium.io"` | Default dns domain for the Clustermesh API servers This is used in the case cluster addresses are not provided and IPs are used. | | clustermesh.config.enabled | bool | `false` | Enable the Clustermesh explicit configuration. | +| clustermesh.maxConnectedClusters | int | `255` | The maximum number of clusters to support in a ClusterMesh. This value cannot be changed on running clusters, and all clusters in a ClusterMesh must be configured with the same value. Values > 255 will decrease the maximum allocatable cluster-local identities. Supported values are 255 and 511. | | clustermesh.useAPIServer | bool | `false` | Deploy clustermesh-apiserver for clustermesh | | cni.binPath | string | `"/opt/cni/bin"` | Configure the path to the CNI binary directory on the host. | | cni.chainingMode | string | `nil` | Configure chaining on top of other CNI plugins. Possible values: - none - aws-cni - flannel - generic-veth - portmap | @@ -231,6 +247,7 @@ contributors across the globe, there is almost always someone available to help. | cni.hostConfDirMountPath | string | `"/host/etc/cni/net.d"` | Configure the path to where the CNI configuration directory is mounted inside the agent pod. | | cni.install | bool | `true` | Install the CNI configuration and binary files into the filesystem. | | cni.logFile | string | `"/var/run/cilium/cilium-cni.log"` | Configure the log file for CNI logging with retention policy of 7 days. Disable CNI file logging by setting this field to empty explicitly. | +| cni.resources | object | `{"requests":{"cpu":"100m","memory":"10Mi"}}` | Specifies the resources for the cni initContainer | | cni.uninstall | bool | `false` | Remove the CNI configuration and binary files on agent shutdown. Enable this if you're removing Cilium from the cluster. Disable this to prevent the CNI configuration file from being removed during agent upgrade, which can cause nodes to go unmanageable. | | conntrackGCInterval | string | `"0s"` | Configure how frequently garbage collection should occur for the datapath connection tracking table. | | conntrackGCMaxInterval | string | `""` | Configure the maximum frequency for the garbage collection of the connection tracking table. Only affects the automatic computation for the frequency and has no effect when 'conntrackGCInterval' is set. This can be set to more frequently clean up unused identities created from ToFQDN policies. | @@ -245,7 +262,7 @@ contributors across the globe, there is almost always someone available to help. | daemon.runPath | string | `"/var/run/cilium"` | Configure where Cilium runtime state should be stored. | | dashboards | object | `{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}` | Grafana dashboards for cilium-agent grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards | | debug.enabled | bool | `false` | Enable debug logging | -| debug.verbose | string | `nil` | Configure verbosity levels for debug logging This option is used to enable debug messages for operations related to such sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is for enabling debug messages emitted per request, message and connection. Applicable values: - flow - kvstore - envoy - datapath - policy | +| debug.verbose | string | `nil` | Configure verbosity levels for debug logging This option is used to enable debug messages for operations related to such sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is for enabling debug messages emitted per request, message and connection. Multiple values can be set via a space-separated string (e.g. "datapath envoy"). Applicable values: - flow - kvstore - envoy - datapath - policy | | disableEndpointCRD | bool | `false` | Disable the usage of CiliumEndpoint CRD. | | dnsPolicy | string | `""` | DNS policy for Cilium agent pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy | | dnsProxy.dnsRejectResponseCode | string | `"refused"` | DNS response code for rejecting DNS requests, available options are '[nameError refused]'. | @@ -257,18 +274,17 @@ contributors across the globe, there is almost always someone available to help. | dnsProxy.preCache | string | `""` | DNS cache data at this path is preloaded on agent startup. | | dnsProxy.proxyPort | int | `0` | Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. | | dnsProxy.proxyResponseMaxDelay | string | `"100ms"` | The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. | -| egressGateway | object | `{"enabled":false,"installRoutes":false,"reconciliationTriggerInterval":"1s"}` | Enables egress gateway to redirect and SNAT the traffic that leaves the cluster. | -| egressGateway.installRoutes | bool | `false` | Install egress gateway IP rules and routes in order to properly steer egress gateway traffic to the correct ENI interface | +| egressGateway.enabled | bool | `false` | Enables egress gateway to redirect and SNAT the traffic that leaves the cluster. | +| egressGateway.installRoutes | bool | `false` | Deprecated without a replacement necessary. | | egressGateway.reconciliationTriggerInterval | string | `"1s"` | Time between triggers of egress gateway state reconciliations | | enableCiliumEndpointSlice | bool | `false` | Enable CiliumEndpointSlice feature. | -| enableCnpStatusUpdates | bool | `false` | Whether to enable CNP status updates. | | enableCriticalPriorityClass | bool | `true` | Explicitly enable or disable priority class. .Capabilities.KubeVersion is unsettable in `helm template` calls, it depends on k8s libraries version that Helm was compiled against. This option allows to explicitly disable setting the priority class, which is useful for rendering charts for gke clusters in advance. | | enableIPv4BIGTCP | bool | `false` | Enables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods | | enableIPv4Masquerade | bool | `true` | Enables masquerading of IPv4 traffic leaving the node from endpoints. | | enableIPv6BIGTCP | bool | `false` | Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods | | enableIPv6Masquerade | bool | `true` | Enables masquerading of IPv6 traffic leaving the node from endpoints. | -| enableK8sEventHandover | bool | `false` | Configures the use of the KVStore to optimize Kubernetes event handling by mirroring it into the KVstore for reduced overhead in large clusters. | | enableK8sTerminatingEndpoint | bool | `true` | Configure whether to enable auto detect of terminating state for endpoints in order to support graceful termination. | +| enableMasqueradeRouteSource | bool | `false` | Enables masquerading to the source of the route for traffic leaving the node from endpoints. | | enableRuntimeDeviceDetection | bool | `false` | Enables experimental support for the detection of new and removed datapath devices. When devices change the eBPF datapath is reloaded and services updated. If "devices" is set then only those devices, or devices matching a wildcard will be considered. | | enableXTSocketFallback | bool | `true` | Enables the fallback compatibility solution for when the xt_socket kernel module is missing and it is needed for the datapath L7 redirection to work properly. See documentation for details on when this can be disabled: https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. | | encryption.enabled | bool | `false` | Enable transparent network encryption. | @@ -283,7 +299,12 @@ contributors across the globe, there is almost always someone available to help. | encryption.mountPath | string | `"/etc/ipsec"` | Deprecated in favor of encryption.ipsec.mountPath. To be removed in 1.15. Path to mount the secret inside the Cilium pod. This option is only effective when encryption.type is set to ipsec. | | encryption.nodeEncryption | bool | `false` | Enable encryption for pure node to node traffic. This option is only effective when encryption.type is set to "wireguard". | | encryption.secretName | string | `"cilium-ipsec-keys"` | Deprecated in favor of encryption.ipsec.secretName. To be removed in 1.15. Name of the Kubernetes secret containing the encryption keys. This option is only effective when encryption.type is set to ipsec. | +| encryption.strictMode | object | `{"allowRemoteNodeIdentities":false,"cidr":"","enabled":false}` | Configure the WireGuard Pod2Pod strict mode. | +| encryption.strictMode.allowRemoteNodeIdentities | bool | `false` | Allow dynamic lookup of remote node identities. This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. | +| encryption.strictMode.cidr | string | `""` | CIDR for the WireGuard Pod2Pod strict mode. | +| encryption.strictMode.enabled | bool | `false` | Enable WireGuard Pod2Pod strict mode. | | encryption.type | string | `"ipsec"` | Encryption method. Can be either ipsec or wireguard. | +| encryption.wireguard.persistentKeepalive | string | `"0s"` | Controls Wireguard PersistentKeepalive option. Set 0s to disable. | | encryption.wireguard.userspaceFallback | bool | `false` | Enables the fallback to the user-space implementation. | | endpointHealthChecking.enabled | bool | `true` | Enable connectivity health checking between virtual endpoints. | | endpointRoutes.enabled | bool | `false` | Enable use of per endpoint routes instead of routing via the cilium_host interface. | @@ -301,6 +322,7 @@ contributors across the globe, there is almost always someone available to help. | eni.subnetTagsFilter | list | `[]` | Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. | | eni.updateEC2AdapterLimitViaAPI | bool | `true` | Update ENI Adapter limits from the EC2 API | | envoy.affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"cilium.io/no-schedule","operator":"NotIn","values":["true"]}]}]}},"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-envoy. | +| envoy.annotations | object | `{}` | Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy) | | envoy.connectTimeoutSeconds | int | `2` | Time in seconds after which a TCP connection attempt times out | | envoy.dnsPolicy | string | `nil` | DNS policy for Cilium envoy pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy | | envoy.enabled | bool | `false` | Enable Envoy Proxy in standalone DaemonSet. | @@ -312,7 +334,7 @@ contributors across the globe, there is almost always someone available to help. | envoy.extraVolumes | list | `[]` | Additional envoy volumes. | | envoy.healthPort | int | `9878` | TCP port for the health API. | | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s | -| envoy.image | object | `{"digest":"sha256:d52f476c29a97c8b250fdbfbb8472191a268916f6a8503671d0da61e323b02cc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.27.4-21905253931655328edaacf3cd16aeda73bbea2f","useDigest":true}` | Envoy container image. | +| envoy.image | object | `{"digest":"sha256:bc8dcc3bc008e3a5aab98edb73a0985e6ef9469bda49d5bb3004c001c995c380","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.28.3-31ec52ec5f2e4d28a8e19a0bfb872fa48cf7a515","useDigest":true}` | Envoy container image. | | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe | | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe | | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. | @@ -322,7 +344,8 @@ contributors across the globe, there is almost always someone available to help. | envoy.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for cilium-envoy. | | envoy.podAnnotations | object | `{}` | Annotations to be added to envoy pods | | envoy.podLabels | object | `{}` | Labels to be added to envoy pods | -| envoy.podSecurityContext | object | `{}` | Security Context for cilium-envoy pods. | +| envoy.podSecurityContext | object | `{"appArmorProfile":{"type":"Unconfined"}}` | Security Context for cilium-envoy pods. | +| envoy.podSecurityContext.appArmorProfile | object | `{"type":"Unconfined"}` | AppArmorProfile options for the `cilium-agent` and init containers | | envoy.priorityClassName | string | `nil` | The priority class to use for cilium-envoy. | | envoy.prometheus | object | `{"enabled":true,"port":"9964","serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]}}` | Configure Cilium Envoy Prometheus options. Note that some of these apply to either cilium-agent or cilium-envoy. | | envoy.prometheus.enabled | bool | `true` | Enable prometheus metrics for cilium-envoy | @@ -345,10 +368,13 @@ contributors across the globe, there is almost always someone available to help. | envoy.terminationGracePeriodSeconds | int | `1` | Configure termination grace period for cilium-envoy DaemonSet. | | envoy.tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for envoy scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | envoy.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}` | cilium-envoy update strategy ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/#updating-a-daemonset | +| envoy.xffNumTrustedHopsL7PolicyEgress | int | `0` | Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. | +| envoy.xffNumTrustedHopsL7PolicyIngress | int | `0` | Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners. | | envoyConfig.enabled | bool | `false` | Enable CiliumEnvoyConfig CRD CiliumEnvoyConfig CRD can also be implicitly enabled by other options. | | envoyConfig.secretsNamespace | object | `{"create":true,"name":"cilium-secrets"}` | SecretsNamespace is the namespace in which envoy SDS will retrieve secrets from. | | envoyConfig.secretsNamespace.create | bool | `true` | Create secrets namespace for CiliumEnvoyConfig CRDs. | | envoyConfig.secretsNamespace.name | string | `"cilium-secrets"` | The name of the secret namespace to which Cilium agents are given read access. | +| etcd.annotations | object | `{}` | Annotations to be added to all top-level etcd-operator objects (resources under templates/etcd-operator) | | etcd.clusterDomain | string | `"cluster.local"` | Cluster domain for cilium-etcd-operator. | | etcd.enabled | bool | `false` | Enable etcd mode for the agent. | | etcd.endpoints | list | `["https://CHANGE-ME:2379"]` | List of etcd endpoints (not needed when using managed=true). | @@ -394,24 +420,41 @@ contributors across the globe, there is almost always someone available to help. | hostFirewall | object | `{"enabled":false}` | Configure the host firewall. | | hostFirewall.enabled | bool | `false` | Enables the enforcement of host policies in the eBPF datapath. | | hostPort.enabled | bool | `false` | Enable hostPort service support. | +| hubble.annotations | object | `{}` | Annotations to be added to all top-level hubble objects (resources under templates/hubble) | | hubble.enabled | bool | `true` | Enable Hubble (true by default). | +| hubble.export | object | `{"dynamic":{"config":{"configMapName":"cilium-flowlog-config","content":[{"excludeFilters":[],"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log","includeFilters":[],"name":"all"}],"createConfigMap":true},"enabled":false},"fileMaxBackups":5,"fileMaxSizeMb":10,"static":{"allowList":[],"denyList":[],"enabled":false,"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log"}}` | Hubble flows export. | +| hubble.export.dynamic | object | `{"config":{"configMapName":"cilium-flowlog-config","content":[{"excludeFilters":[],"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log","includeFilters":[],"name":"all"}],"createConfigMap":true},"enabled":false}` | - Dynamic exporters configuration. Dynamic exporters may be reconfigured without a need of agent restarts. | +| hubble.export.dynamic.config.configMapName | string | `"cilium-flowlog-config"` | -- Name of configmap with configuration that may be altered to reconfigure exporters within a running agents. | +| hubble.export.dynamic.config.content | list | `[{"excludeFilters":[],"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log","includeFilters":[],"name":"all"}]` | -- Exporters configuration in YAML format. | +| hubble.export.dynamic.config.createConfigMap | bool | `true` | -- True if helm installer should create config map. Switch to false if you want to self maintain the file content. | +| hubble.export.fileMaxBackups | int | `5` | - Defines max number of backup/rotated files. | +| hubble.export.fileMaxSizeMb | int | `10` | - Defines max file size of output file before it gets rotated. | +| hubble.export.static | object | `{"allowList":[],"denyList":[],"enabled":false,"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log"}` | - Static exporter configuration. Static exporter is bound to agent lifecycle. | | hubble.listenAddress | string | `":4244"` | An additional address for Hubble to listen to. Set this field ":4244" if you are enabling Hubble Relay, as it assumes that Hubble is listening on port 4244. | -| hubble.metrics | object | `{"dashboards":{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null},"enableOpenMetrics":false,"enabled":null,"port":9965,"serviceAnnotations":{},"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]}}` | Hubble metrics configuration. See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics for more comprehensive documentation about Hubble metrics. | +| hubble.metrics | object | `{"dashboards":{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null},"enableOpenMetrics":false,"enabled":null,"port":9965,"serviceAnnotations":{},"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]}}` | Hubble metrics configuration. See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics for more comprehensive documentation about Hubble metrics. | | hubble.metrics.dashboards | object | `{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}` | Grafana dashboards for hubble grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards | | hubble.metrics.enableOpenMetrics | bool | `false` | Enables exporting hubble metrics in OpenMetrics format. | -| hubble.metrics.enabled | string | `nil` | Configures the list of metrics to collect. If empty or null, metrics are disabled. Example: enabled: - dns:query;ignoreAAAA - drop - tcp - flow - icmp - http You can specify the list of metrics from the helm CLI: --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" | +| hubble.metrics.enabled | string | `nil` | Configures the list of metrics to collect. If empty or null, metrics are disabled. Example: enabled: - dns:query;ignoreAAAA - drop - tcp - flow - icmp - http You can specify the list of metrics from the helm CLI: --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" | | hubble.metrics.port | int | `9965` | Configure the port the hubble metric server listens on. | | hubble.metrics.serviceAnnotations | object | `{}` | Annotations to be added to hubble-metrics service. | | hubble.metrics.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor hubble | | hubble.metrics.serviceMonitor.enabled | bool | `false` | Create ServiceMonitor resources for Prometheus Operator. This requires the prometheus CRDs to be available. ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) | | hubble.metrics.serviceMonitor.interval | string | `"10s"` | Interval for scrape metrics. | +| hubble.metrics.serviceMonitor.jobLabel | string | `""` | jobLabel to add for ServiceMonitor hubble | | hubble.metrics.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor hubble | | hubble.metrics.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor hubble | | hubble.metrics.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor hubble | | hubble.peerService.clusterDomain | string | `"cluster.local"` | The cluster domain to use to query the Hubble Peer service. It should be the local cluster. | | hubble.peerService.targetPort | int | `4244` | Target Port for the Peer service, must match the hubble.listenAddress' port. | | hubble.preferIpv6 | bool | `false` | Whether Hubble should prefer to announce IPv6 or IPv4 addresses if both are available. | +| hubble.redact | object | `{"enabled":false,"http":{"headers":{"allow":[],"deny":[]},"urlQuery":false,"userInfo":true},"kafka":{"apiKey":false}}` | Enables redacting sensitive information present in Layer 7 flows. | +| hubble.redact.http.headers.allow | list | `[]` | List of HTTP headers to allow: headers not matching will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. Example: redact: enabled: true http: headers: allow: - traceparent - tracestate - Cache-Control You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.headers.allow="traceparent,tracestate,Cache-Control" | +| hubble.redact.http.headers.deny | list | `[]` | List of HTTP headers to deny: matching headers will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. Example: redact: enabled: true http: headers: deny: - Authorization - Proxy-Authorization You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.headers.deny="Authorization,Proxy-Authorization" | +| hubble.redact.http.urlQuery | bool | `false` | Enables redacting URL query (GET) parameters. Example: redact: enabled: true http: urlQuery: true You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.urlQuery="true" | +| hubble.redact.http.userInfo | bool | `true` | Enables redacting user info, e.g., password when basic auth is used. Example: redact: enabled: true http: userInfo: true You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.userInfo="true" | +| hubble.redact.kafka.apiKey | bool | `false` | Enables redacting Kafka's API key. Example: redact: enabled: true kafka: apiKey: true You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.kafka.apiKey="true" | | hubble.relay.affinity | object | `{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for hubble-replay | +| hubble.relay.annotations | object | `{}` | Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay) | | hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). | | hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) | | hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. | @@ -419,7 +462,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. | | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay | | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay | -| hubble.relay.image | object | `{"digest":"sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.10","useDigest":true}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"sha256:1d24b24e3477ccf9b5ad081827db635419c136a2bd84a3e60f37b26a38dd0781","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.5","useDigest":true}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -451,9 +494,9 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.sortBufferDrainTimeout | string | `nil` | When the per-request flows sort buffer is not full, a flow is drained every time this timeout is reached (only affects requests in follow-mode) (e.g. "1s"). | | hubble.relay.sortBufferLenMax | string | `nil` | Max number of flows that can be buffered for sorting before being sent to the client (per request) (e.g. 100). | | hubble.relay.terminationGracePeriodSeconds | int | `1` | Configure termination grace period for hubble relay Deployment. | -| hubble.relay.tls | object | `{"client":{"cert":"","key":""},"server":{"cert":"","enabled":false,"extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false}}` | TLS configuration for Hubble Relay | +| hubble.relay.tls | object | `{"client":{"cert":"","key":""},"server":{"cert":"","enabled":false,"extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}}` | TLS configuration for Hubble Relay | | hubble.relay.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values for the hubble-relay client certificate and private key This keypair is presented to Hubble server instances for mTLS authentication and is required when hubble.tls.enabled is true. These values need to be set manually if hubble.tls.auto.enabled is false. | -| hubble.relay.tls.server | object | `{"cert":"","enabled":false,"extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false}` | base64 encoded PEM values for the hubble-relay server certificate and private key | +| hubble.relay.tls.server | object | `{"cert":"","enabled":false,"extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}` | base64 encoded PEM values for the hubble-relay server certificate and private key | | hubble.relay.tls.server.extraDnsNames | list | `[]` | extra DNS names added to certificate when its auto gen | | hubble.relay.tls.server.extraIpAddresses | list | `[]` | extra IP addresses added to certificate when its auto gen | | hubble.relay.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | @@ -473,10 +516,13 @@ contributors across the globe, there is almost always someone available to help. | hubble.tls.server.extraDnsNames | list | `[]` | Extra DNS names added to certificate when it's auto generated | | hubble.tls.server.extraIpAddresses | list | `[]` | Extra IP addresses added to certificate when it's auto generated | | hubble.ui.affinity | object | `{}` | Affinity for hubble-ui | +| hubble.ui.annotations | object | `{}` | Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui) | | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. | | hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. | | hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. | | hubble.ui.backend.image | object | `{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}` | Hubble-ui backend image. | +| hubble.ui.backend.livenessProbe.enabled | bool | `false` | Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | +| hubble.ui.backend.readinessProbe.enabled | bool | `false` | Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | | hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. | | hubble.ui.backend.securityContext | object | `{}` | Hubble-ui backend security context. | | hubble.ui.baseUrl | string | `"/"` | Defines base url prefix for all hubble-ui http requests. It needs to be changed in case if ingress for hubble-ui is configured under some sub-path. Trailing `/` is required for custom path, ex. `/service-map/` | @@ -511,14 +557,15 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.10","useDigest":true}` | Agent container image. | +| image | object | `{"digest":"sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.5","useDigest":true}` | Agent container image. | | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. | | ingressController.defaultSecretNamespace | string | `nil` | Default secret namespace for ingresses without .spec.tls[].secretName set. | +| ingressController.enableProxyProtocol | bool | `false` | Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled. | | ingressController.enabled | bool | `false` | Enable cilium ingress controller This will automatically set enable-envoy-config as well. | | ingressController.enforceHttps | bool | `true` | Enforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header. | -| ingressController.ingressLBAnnotationPrefixes | list | `["service.beta.kubernetes.io","service.kubernetes.io","cloud.google.com"]` | IngressLBAnnotations are the annotation prefixes, which are used to filter annotations to propagate from Ingress to the Load Balancer service | +| ingressController.ingressLBAnnotationPrefixes | list | `["service.beta.kubernetes.io","service.kubernetes.io","cloud.google.com"]` | IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service | | ingressController.loadbalancerMode | string | `"dedicated"` | Default ingress load balancer mode Supported values: shared, dedicated For granular control, use the following annotations on the ingress resource ingress.cilium.io/loadbalancer-mode: shared|dedicated, | | ingressController.secretsNamespace | object | `{"create":true,"name":"cilium-secrets","sync":true}` | SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. | | ingressController.secretsNamespace.create | bool | `true` | Create secrets namespace for Ingress. | @@ -551,9 +598,9 @@ contributors across the globe, there is almost always someone available to help. | ipv6.enabled | bool | `false` | Enable IPv6 support. | | ipv6NativeRoutingCIDR | string | `""` | Allows to explicitly specify the IPv6 CIDR for native routing. When specified, Cilium assumes networking for this CIDR is preconfigured and hands traffic destined for that range to the Linux network stack without applying any SNAT. Generally speaking, specifying a native routing CIDR implies that Cilium can depend on the underlying networking stack to route packets to their destination. To offer a concrete example, if Cilium is configured to use direct routing and the Kubernetes CIDR is included in the native routing CIDR, the user must configure the routes to reach pods, either manually or by setting the auto-direct-node-routes flag. | | k8s | object | `{}` | Configure Kubernetes specific configuration | -| k8sClientRateLimit | object | `{"burst":10,"qps":5}` | Configure the client side rate limit for the agent and operator If the amount of requests to the Kubernetes API server exceeds the configured rate limit, the agent and operator will start to throttle requests by delaying them until there is budget or the request times out. | -| k8sClientRateLimit.burst | int | `10` | The burst request rate in requests per second. The rate limiter will allow short bursts with a higher rate. | -| k8sClientRateLimit.qps | int | `5` | The sustained request rate in requests per second. | +| k8sClientRateLimit | object | `{"burst":null,"qps":null}` | Configure the client side rate limit for the agent and operator If the amount of requests to the Kubernetes API server exceeds the configured rate limit, the agent and operator will start to throttle requests by delaying them until there is budget or the request times out. | +| k8sClientRateLimit.burst | int | 10 for k8s up to 1.26. 20 for k8s version 1.27+ | The burst request rate in requests per second. The rate limiter will allow short bursts with a higher rate. | +| k8sClientRateLimit.qps | int | 5 for k8s up to 1.26. 10 for k8s version 1.27+ | The sustained request rate in requests per second. | | k8sNetworkPolicy.enabled | bool | `true` | Enable support for K8s NetworkPolicy | | k8sServiceHost | string | `""` | Kubernetes service host | | k8sServicePort | string | `""` | Kubernetes service port | @@ -571,7 +618,8 @@ contributors across the globe, there is almost always someone available to help. | l7Proxy | bool | `true` | Enable Layer 7 network policy. | | livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe | | livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe | -| loadBalancer | object | `{"l7":{"algorithm":"round_robin","backend":"disabled","ports":[]}}` | Configure service load balancing | +| loadBalancer | object | `{"acceleration":"disabled","l7":{"algorithm":"round_robin","backend":"disabled","ports":[]}}` | Configure service load balancing | +| loadBalancer.acceleration | string | `"disabled"` | acceleration is the option to accelerate service handling via XDP Applicable values can be: disabled (do not use XDP), native (XDP BPF program is run directly out of the networking driver's early receive path), or best-effort (use native mode XDP acceleration on devices that support it). | | loadBalancer.l7 | object | `{"algorithm":"round_robin","backend":"disabled","ports":[]}` | L7 LoadBalancer | | loadBalancer.l7.algorithm | string | `"round_robin"` | Default LB algorithm The default LB algorithm to be used for services, which can be overridden by the service annotation (e.g. service.cilium.io/lb-l7-algorithm) Applicable values: round_robin, least_request, random | | loadBalancer.l7.backend | string | `"disabled"` | Enable L7 service load balancing via envoy proxy. The request to a k8s service, which has specific annotation e.g. service.cilium.io/lb-l7, will be forwarded to the local backend proxy to be load balanced to the service endpoints. Please refer to docs for supported annotations for more configuration. Applicable values: - envoy: Enable L7 load balancing via envoy proxy. This will automatically set enable-envoy-config as well. - disabled: Disable L7 load balancing by way of service annotation. | @@ -584,22 +632,26 @@ contributors across the globe, there is almost always someone available to help. | name | string | `"cilium"` | Agent container name. | | nat46x64Gateway | object | `{"enabled":false}` | Configure standalone NAT46/NAT64 gateway | | nat46x64Gateway.enabled | bool | `false` | Enable RFC8215-prefixed translation | -| nodePort | object | `{"autoProtectPortRange":true,"bindProtection":true,"enableHealthCheck":true,"enabled":false}` | Configure N-S k8s service loadbalancing | +| nodePort | object | `{"autoProtectPortRange":true,"bindProtection":true,"enableHealthCheck":true,"enableHealthCheckLoadBalancerIP":false,"enabled":false}` | Configure N-S k8s service loadbalancing | | nodePort.autoProtectPortRange | bool | `true` | Append NodePort range to ip_local_reserved_ports if clash with ephemeral ports is detected. | | nodePort.bindProtection | bool | `true` | Set to true to prevent applications binding to service ports. | | nodePort.enableHealthCheck | bool | `true` | Enable healthcheck nodePort server for NodePort services | +| nodePort.enableHealthCheckLoadBalancerIP | bool | `false` | Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs EnableHealthCheck to be enabled | | nodePort.enabled | bool | `false` | Enable the Cilium NodePort service implementation. | | nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for cilium-agent. | | nodeinit.affinity | object | `{}` | Affinity for cilium-nodeinit | +| nodeinit.annotations | object | `{}` | Annotations to be added to all top-level nodeinit objects (resources under templates/cilium-nodeinit) | | nodeinit.bootstrapFile | string | `"/tmp/cilium-bootstrap.d/cilium-bootstrap-time"` | bootstrapFile is the location of the file where the bootstrap timestamp is written by the node-init DaemonSet | | nodeinit.enabled | bool | `false` | Enable the node initialization DaemonSet | | nodeinit.extraEnv | list | `[]` | Additional nodeinit environment variables. | | nodeinit.extraVolumeMounts | list | `[]` | Additional nodeinit volumeMounts. | | nodeinit.extraVolumes | list | `[]` | Additional nodeinit volumes. | -| nodeinit.image | object | `{"digest":"sha256:e1d442546e868db1a3289166c14011e0dbd32115b338b963e56f830972bc22a2","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f","useDigest":true}` | node-init image. | +| nodeinit.image | object | `{"digest":"sha256:820155cb3b7f00c8d61c1cffa68c44440906cb046bdbad8ff544f5deb1103456","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"19fb149fb3d5c7a37d3edfaf10a2be3ab7386661","useDigest":true}` | node-init image. | | nodeinit.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | nodeinit.podAnnotations | object | `{}` | Annotations to be added to node-init pods. | | nodeinit.podLabels | object | `{}` | Labels to be added to node-init pods. | +| nodeinit.podSecurityContext | object | `{"appArmorProfile":{"type":"Unconfined"}}` | Security Context for cilium-node-init pods. | +| nodeinit.podSecurityContext.appArmorProfile | object | `{"type":"Unconfined"}` | AppArmorProfile options for the `cilium-node-init` and init containers | | nodeinit.prestop | object | `{"postScript":"","preScript":""}` | prestop offers way to customize prestop nodeinit script (pre and post position) | | nodeinit.priorityClassName | string | `""` | The priority class to use for the nodeinit pod. | | nodeinit.resources | object | `{"requests":{"cpu":"100m","memory":"100Mi"}}` | nodeinit resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | @@ -608,6 +660,7 @@ contributors across the globe, there is almost always someone available to help. | nodeinit.tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for nodeinit scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | nodeinit.updateStrategy | object | `{"type":"RollingUpdate"}` | node-init update strategy | | operator.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"io.cilium/app":"operator"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-operator | +| operator.annotations | object | `{}` | Annotations to be added to all top-level cilium-operator objects (resources under templates/cilium-operator) | | operator.dashboards | object | `{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}` | Grafana dashboards for cilium-operator grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards | | operator.dnsPolicy | string | `""` | DNS policy for Cilium operator pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy | | operator.enabled | bool | `true` | Enable the cilium-operator component (required). | @@ -619,7 +672,7 @@ contributors across the globe, there is almost always someone available to help. | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14","awsDigest":"sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6","azureDigest":"sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4","genericDigest":"sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.10","useDigest":true}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"sha256:d76d45e308f23398b786f1f05504863759849046c20c741ebb64ad80613f8fd3","awsDigest":"sha256:f9c0eaea023ce5a75b3ed1fc4b783f390c5a3c7dc1507a2dc4dbc667b80d1bd9","azureDigest":"sha256:0a56f2cfdcdf13da21b7fdcc870e29fef82e71e599cd8dd74eb65c377e035522","genericDigest":"sha256:f5d3d19754074ca052be6aac5d1ffb1de1eb5f2d947222b5f10f6d97ad4383e8","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.5","useDigest":true}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -632,10 +685,11 @@ contributors across the globe, there is almost always someone available to help. | operator.pprof.enabled | bool | `false` | Enable pprof for cilium-operator | | operator.pprof.port | int | `6061` | Configure pprof listen port for cilium-operator | | operator.priorityClassName | string | `""` | The priority class to use for cilium-operator | -| operator.prometheus | object | `{"enabled":false,"port":9963,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":null}}` | Enable prometheus metrics for cilium-operator on the configured port at /metrics | +| operator.prometheus | object | `{"enabled":true,"port":9963,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":null}}` | Enable prometheus metrics for cilium-operator on the configured port at /metrics | | operator.prometheus.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor cilium-operator | | operator.prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) | | operator.prometheus.serviceMonitor.interval | string | `"10s"` | Interval for scrape metrics. | +| operator.prometheus.serviceMonitor.jobLabel | string | `""` | jobLabel to add for ServiceMonitor cilium-operator | | operator.prometheus.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor cilium-operator | | operator.prometheus.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor cilium-operator | | operator.prometheus.serviceMonitor.relabelings | string | `nil` | Relabeling configs for the ServiceMonitor cilium-operator | @@ -656,17 +710,20 @@ contributors across the globe, there is almost always someone available to help. | pmtuDiscovery.enabled | bool | `false` | Enable path MTU discovery to send ICMP fragmentation-needed replies to the client. | | podAnnotations | object | `{}` | Annotations to be added to agent pods | | podLabels | object | `{}` | Labels to be added to agent pods | -| podSecurityContext | object | `{}` | Security Context for cilium-agent pods. | +| podSecurityContext | object | `{"appArmorProfile":{"type":"Unconfined"}}` | Security Context for cilium-agent pods. | +| podSecurityContext.appArmorProfile | object | `{"type":"Unconfined"}` | AppArmorProfile options for the `cilium-agent` and init containers | +| policyCIDRMatchMode | string | `nil` | policyCIDRMatchMode is a list of entities that may be selected by CIDR selector. The possible value is "nodes". | | policyEnforcementMode | string | `"default"` | The agent can be put into one of the three policy enforcement modes: default, always and never. ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes | | pprof.address | string | `"localhost"` | Configure pprof listen address for cilium-agent | | pprof.enabled | bool | `false` | Enable pprof for cilium-agent | | pprof.port | int | `6060` | Configure pprof listen port for cilium-agent | | preflight.affinity | object | `{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-preflight | +| preflight.annotations | object | `{}` | Annotations to be added to all top-level preflight objects (resources under templates/cilium-preflight) | | preflight.enabled | bool | `false` | Enable Cilium pre-flight resources (required for upgrade) | | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.10","useDigest":true}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.5","useDigest":true}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | @@ -683,11 +740,13 @@ contributors across the globe, there is almost always someone available to help. | preflight.updateStrategy | object | `{"type":"RollingUpdate"}` | preflight update strategy | | preflight.validateCNPs | bool | `true` | By default we should always validate the installed CNPs before upgrading Cilium. This will make sure the user will have the policies deployed in the cluster with the right schema. | | priorityClassName | string | `""` | The priority class to use for cilium-agent. | -| prometheus | object | `{"enabled":false,"metrics":null,"port":9962,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}],"trustCRDsExist":false}}` | Configure prometheus metrics on the configured port at /metrics | +| prometheus | object | `{"controllerGroupMetrics":["write-cni-file","sync-host-ips","sync-lb-maps-with-k8s-services"],"enabled":false,"metrics":null,"port":9962,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}],"trustCRDsExist":false}}` | Configure prometheus metrics on the configured port at /metrics | +| prometheus.controllerGroupMetrics | list | `["write-cni-file","sync-host-ips","sync-lb-maps-with-k8s-services"]` | - Enable controller group metrics for monitoring specific Cilium subsystems. The list is a list of controller group names. The special values of "all" and "none" are supported. The set of controller group names is not guaranteed to be stable between Cilium versions. | | prometheus.metrics | string | `nil` | Metrics that should be enabled or disabled from the default metric list. The list is expected to be separated by a space. (+metric_foo to enable metric_foo , -metric_bar to disable metric_bar). ref: https://docs.cilium.io/en/stable/observability/metrics/ | | prometheus.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor cilium-agent | | prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) | | prometheus.serviceMonitor.interval | string | `"10s"` | Interval for scrape metrics. | +| prometheus.serviceMonitor.jobLabel | string | `""` | jobLabel to add for ServiceMonitor cilium-agent | | prometheus.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor cilium-agent | | prometheus.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor cilium-agent | | prometheus.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor cilium-agent | @@ -699,7 +758,7 @@ contributors across the globe, there is almost always someone available to help. | rbac.create | bool | `true` | Enable creation of Resource-Based Access Control configuration. | | readinessProbe.failureThreshold | int | `3` | failure threshold of readiness probe | | readinessProbe.periodSeconds | int | `30` | interval between checks of the readiness probe | -| remoteNodeIdentity | bool | `true` | Enable use of the remote node identity. ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity | +| remoteNodeIdentity | bool | `true` | Enable use of the remote node identity. ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity Deprecated without replacement in 1.15. To be removed in 1.16. | | resourceQuotas | object | `{"cilium":{"hard":{"pods":"10k"}},"enabled":false,"operator":{"hard":{"pods":"15"}}}` | Enable resource quotas for priority classes used in the cluster. | | resources | object | `{}` | Agent resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | | rollOutCiliumPods | bool | `false` | Roll out cilium agent pods automatically when configmap is updated. | @@ -716,6 +775,7 @@ contributors across the globe, there is almost always someone available to help. | serviceAccounts.clustermeshcertgen | object | `{"annotations":{},"automount":true,"create":true,"name":"clustermesh-apiserver-generate-certs"}` | Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob | | serviceAccounts.hubblecertgen | object | `{"annotations":{},"automount":true,"create":true,"name":"hubble-generate-certs"}` | Hubblecertgen is used if hubble.tls.auto.method=cronJob | | serviceAccounts.nodeinit.enabled | bool | `false` | Enabled is temporary until https://github.com/cilium/cilium-cli/issues/1396 is implemented. Cilium CLI doesn't create the SAs for node-init, thus the workaround. Helm is not affected by this issue. Name and automount can be configured, if enabled is set to true. Otherwise, they are ignored. Enabled can be removed once the issue is fixed. Cilium-nodeinit DS must also be fixed. | +| serviceNoBackendResponse | string | `"reject"` | Configure what the response should be to traffic for a service without backends. "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop". Possible values: - reject (default) - drop | | sleepAfterInit | bool | `false` | Do not run Cilium agent when running with clean mode. Useful to completely uninstall Cilium as it will stop Cilium from starting and create artifacts in the node. | | socketLB | object | `{"enabled":false}` | Configure socket LB | | socketLB.enabled | bool | `false` | Enable socket LB | @@ -736,7 +796,6 @@ contributors across the globe, there is almost always someone available to help. | tls.caBundle.useSecret | bool | `false` | Use a Secret instead of a ConfigMap. | | tls.secretsBackend | string | `"local"` | This configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies (namely the secrets referenced by terminatingTLS and originatingTLS). Possible values: - local - k8s | | tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for agent scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | -| tunnel | string | `"vxlan"` | Configure the encapsulation configuration for communication between nodes. Deprecated in favor of tunnelProtocol and routingMode. To be removed in 1.15. Possible values: - disabled - vxlan - geneve | | tunnelPort | int | Port 8472 for VXLAN, Port 6081 for Geneve | Configure VXLAN and Geneve tunnel port. | | tunnelProtocol | string | `"vxlan"` | Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. Possible values: - "" - vxlan - geneve | | updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}` | Cilium agent update strategy | diff --git a/packages/system/cilium/charts/cilium/files/cilium-agent/dashboards/cilium-dashboard.json b/packages/system/cilium/charts/cilium/files/cilium-agent/dashboards/cilium-dashboard.json index 997608ee..94af2eac 100644 --- a/packages/system/cilium/charts/cilium/files/cilium-agent/dashboards/cilium-dashboard.json +++ b/packages/system/cilium/charts/cilium/files/cilium-agent/dashboards/cilium-dashboard.json @@ -27,7 +27,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -131,7 +134,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -271,7 +277,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -394,7 +403,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -511,7 +523,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -636,7 +651,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "description": "BPF memory usage in the entire system including components not managed by Cilium.", "fieldConfig": { "defaults": { @@ -759,7 +777,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "description": "Fill percentage of BPF maps, tagged by map name", "fieldConfig": { "defaults": { @@ -870,7 +891,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -971,7 +995,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -1072,7 +1099,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -1173,7 +1203,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -1274,7 +1307,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -1375,7 +1411,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -1511,7 +1550,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -1612,7 +1654,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "decimals": 2, "fieldConfig": { "defaults": { @@ -1715,7 +1760,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -1816,7 +1864,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -1915,7 +1966,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -2016,7 +2070,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -2117,7 +2174,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -2239,7 +2299,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "decimals": 2, "fieldConfig": { "defaults": { @@ -2342,7 +2405,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "decimals": 2, "fieldConfig": { "defaults": { @@ -2445,7 +2511,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -2546,7 +2615,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -2647,7 +2719,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -2767,7 +2842,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -2864,7 +2942,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -2984,7 +3065,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -3150,7 +3234,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -3316,7 +3403,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -3482,7 +3572,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -3633,7 +3726,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "decimals": null, "fieldConfig": { "defaults": { @@ -3740,7 +3836,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -3837,7 +3936,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -3934,7 +4036,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4047,7 +4152,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4147,7 +4255,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4270,7 +4381,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4370,7 +4484,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4518,7 +4635,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4638,7 +4758,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4740,7 +4863,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4864,7 +4990,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4966,7 +5095,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -5102,7 +5234,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -5218,7 +5353,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -5327,7 +5465,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -5455,7 +5596,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -5591,7 +5735,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -5676,7 +5823,7 @@ "refId": "C" }, { - "expr": "sum(cilium_policy_change_total{k8s_app=\"cilium\", pod=~\"$pod\"}, outcome=\"fail\") by (pod)", + "expr": "sum(cilium_policy_change_total{k8s_app=\"cilium\", pod=~\"$pod\", outcome=\"fail\"}) by (pod)", "format": "time_series", "intervalFactor": 1, "legendFormat": "policy change errors", @@ -5733,7 +5880,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -5841,7 +5991,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -5983,7 +6136,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "decimals": null, "fieldConfig": { "defaults": { @@ -6083,7 +6239,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "decimals": null, "fieldConfig": { "defaults": { @@ -6188,7 +6347,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -6298,7 +6460,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -6421,7 +6586,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -6542,7 +6710,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -6674,7 +6845,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -6775,7 +6949,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -6876,7 +7053,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -6977,7 +7157,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7078,7 +7261,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7178,7 +7364,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7277,7 +7466,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7376,7 +7568,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7475,7 +7670,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7578,7 +7776,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7681,7 +7882,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7784,7 +7988,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7883,7 +8090,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7982,7 +8192,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -8081,7 +8294,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -8182,6 +8398,21 @@ "tags": [], "templating": { "list": [ + { + "current": {}, + "hide": 0, + "includeAll": false, + "label": "Prometheus", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, { "allValue": "cilium.*", "current": { @@ -8189,7 +8420,10 @@ "text": "All", "value": "$__all" }, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "definition": "label_values(cilium_version, pod)", "hide": 0, "includeAll": true, diff --git a/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json b/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json index ea8984db..87939f69 100644 --- a/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json +++ b/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json @@ -301,6 +301,14 @@ "resourceApiVersion": "V3" } }, + "bootstrapExtensions": [ + { + "name": "envoy.bootstrap.internal_listener", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener" + } + } + ], "layeredRuntime": { "layers": [ { diff --git a/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dashboard.json b/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dashboard.json index 12de657d..8de5ec1d 100644 --- a/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dashboard.json +++ b/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dashboard.json @@ -3226,7 +3226,7 @@ ] }, "timezone": "", - "title": "Hubble", + "title": "Hubble Metrics and Monitoring", "uid": "5HftnJAWz", "version": 24 } diff --git a/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dns-namespace.json b/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dns-namespace.json new file mode 100644 index 00000000..d286fdb3 --- /dev/null +++ b/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dns-namespace.json @@ -0,0 +1,602 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "panel", + "id": "bargauge", + "name": "Bar gauge", + "version": "" + }, + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "9.4.7" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "", + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 16612, + "graphTooltip": 0, + "id": null, + "links": [ + { + "asDropdown": true, + "icon": "external link", + "includeVars": true, + "keepTime": true, + "tags": [ + "cilium-overview" + ], + "targetBlank": false, + "title": "Cilium Overviews", + "tooltip": "", + "type": "dashboards", + "url": "" + }, + { + "asDropdown": true, + "icon": "external link", + "includeVars": false, + "keepTime": true, + "tags": [ + "hubble" + ], + "targetBlank": false, + "title": "Hubble", + "tooltip": "", + "type": "dashboards", + "url": "" + } + ], + "liveNow": false, + "panels": [ + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 2, + "panels": [], + "title": "DNS", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 1 + }, + "id": 37, + "options": { + "legend": { + "calcs": [ + "mean", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(hubble_dns_queries_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])) by (source) > 0", + "legendFormat": "{{source}}", + "range": true, + "refId": "A" + } + ], + "title": "DNS queries", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 1 + }, + "id": 41, + "options": { + "displayMode": "gradient", + "minVizHeight": 10, + "minVizWidth": 0, + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showUnfilled": true + }, + "pluginVersion": "9.4.7", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "topk(10, sum(rate(hubble_dns_queries_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])*60) by (query))", + "legendFormat": "{{query}}", + "range": true, + "refId": "A" + } + ], + "title": "Top 10 DNS queries", + "type": "bargauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 10 + }, + "id": 39, + "options": { + "legend": { + "calcs": [ + "mean", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "round(sum(rate(hubble_dns_queries_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])) by (source) - sum(label_replace(sum(rate(hubble_dns_responses_total{cluster=~\"$cluster\", source_namespace=~\"$destination_namespace\", destination_namespace=~\"$source_namespace\"}[$__rate_interval])) by (destination), \"source\", \"$1\", \"destination\", \"(.*)\")) without (destination), 0.001) > 0", + "legendFormat": "{{source}}", + "range": true, + "refId": "A" + } + ], + "title": "Missing DNS responses", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 10 + }, + "id": 43, + "options": { + "legend": { + "calcs": [ + "mean", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(hubble_dns_responses_total{cluster=~\"$cluster\", source_namespace=~\"$destination_namespace\", destination_namespace=~\"$source_namespace\", rcode!=\"No Error\"}[$__rate_interval])) by (destination, rcode) > 0", + "legendFormat": "{{destination}}: {{rcode}}", + "range": true, + "refId": "A" + } + ], + "title": "DNS errors", + "type": "timeseries" + } + ], + "refresh": "", + "revision": 1, + "schemaVersion": 38, + "style": "dark", + "tags": [ + "kubecon-demo" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "default", + "value": "default" + }, + "hide": 0, + "includeAll": false, + "label": "Data Source", + "multi": false, + "name": "prometheus_datasource", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "(?!grafanacloud-usage|grafanacloud-ml-metrics).+", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(cilium_version, cluster)", + "hide": 0, + "includeAll": true, + "multi": true, + "name": "cluster", + "options": [], + "query": { + "query": "label_values(cilium_version, cluster)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "allValue": ".*", + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(source_namespace)", + "hide": 0, + "includeAll": true, + "label": "Source Namespace", + "multi": true, + "name": "source_namespace", + "options": [], + "query": { + "query": "label_values(source_namespace)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "allValue": ".*", + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(destination_namespace)", + "hide": 0, + "includeAll": true, + "label": "Destination Namespace", + "multi": true, + "name": "destination_namespace", + "options": [], + "query": { + "query": "label_values(destination_namespace)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Hubble / DNS Overview (Namespace)", + "uid": "_f0DUpY4k", + "version": 26, + "weekStart": "" + } + \ No newline at end of file diff --git a/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-network-overview-namespace.json b/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-network-overview-namespace.json new file mode 100644 index 00000000..d0cf9d3b --- /dev/null +++ b/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-network-overview-namespace.json @@ -0,0 +1,1001 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "panel", + "id": "bargauge", + "name": "Bar gauge", + "version": "" + }, + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "9.4.7" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "", + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 16612, + "graphTooltip": 0, + "id": null, + "links": [ + { + "asDropdown": true, + "icon": "external link", + "includeVars": true, + "keepTime": true, + "tags": [ + "cilium-overview" + ], + "targetBlank": false, + "title": "Cilium Overviews", + "tooltip": "", + "type": "dashboards", + "url": "" + }, + { + "asDropdown": true, + "icon": "external link", + "includeVars": false, + "keepTime": true, + "tags": [ + "hubble" + ], + "targetBlank": false, + "title": "Hubble", + "tooltip": "", + "type": "dashboards", + "url": "" + } + ], + "liveNow": false, + "panels": [ + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 8, + "panels": [], + "title": "Flows processed", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "ops" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 1 + }, + "id": 12, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(hubble_flows_processed_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])) by (type, subtype)", + "legendFormat": "{{type}}/{{subtype}}", + "range": true, + "refId": "A" + } + ], + "title": "Flows processed by type", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "ops" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 1 + }, + "id": 35, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(hubble_flows_processed_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])) by (verdict)", + "legendFormat": "{{verdict}}", + "range": true, + "refId": "A" + } + ], + "title": "Flows processed by verdict", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "pps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 10 + }, + "id": 36, + "options": { + "displayMode": "gradient", + "minVizHeight": 10, + "minVizWidth": 0, + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showUnfilled": true + }, + "pluginVersion": "9.4.7", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "topk(10, sum(rate(hubble_flows_processed_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])) by (source))", + "legendFormat": "{{source}}", + "range": true, + "refId": "A" + } + ], + "title": "Top 10 sources", + "type": "bargauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "pps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 10 + }, + "id": 37, + "options": { + "displayMode": "gradient", + "minVizHeight": 10, + "minVizWidth": 0, + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showUnfilled": true + }, + "pluginVersion": "9.4.7", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "topk(10, sum(rate(hubble_flows_processed_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])) by (destination))", + "legendFormat": "{{source}}", + "range": true, + "refId": "A" + } + ], + "title": "Top 10 destinations", + "type": "bargauge" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 19 + }, + "id": 10, + "panels": [], + "title": "Connection drops", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "pps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 20 + }, + "id": 23, + "options": { + "legend": { + "calcs": [ + "mean", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(hubble_tcp_flags_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\", flag=\"SYN\"}[$__rate_interval])) by (source) - sum(label_replace(sum(rate(hubble_tcp_flags_total{cluster=~\"$cluster\", source_namespace=~\"$destination_namespace\", destination_namespace=~\"$source_namespace\", flag=\"SYN-ACK\"}[$__rate_interval])) by (destination), \"source\", \"$1\", \"destination\", \"(.*)\")) without (destination) > 0", + "hide": false, + "legendFormat": "{{source}}", + "range": true, + "refId": "A" + } + ], + "title": "Missing TCP SYN-ACKs", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "pps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 20 + }, + "id": 34, + "options": { + "legend": { + "calcs": [ + "mean", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(hubble_icmp_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\", type=\"EchoRequest\"}[$__rate_interval])) by (source) - sum(label_replace(sum(rate(hubble_icmp_total{cluster=~\"$cluster\", source_namespace=~\"$destination_namespace\", destination_namespace=~\"$source_namespace\", type=\"EchoReply\"}[$__rate_interval])) by (destination), \"source\", \"$1\", \"destination\", \"(.*)\")) without (destination) > 0", + "legendFormat": "{{source}}", + "range": true, + "refId": "A" + } + ], + "title": "Missing ICMP Echo Replys", + "type": "timeseries" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 29 + }, + "id": 6, + "panels": [], + "title": "Network Policy drops", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "pps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 30 + }, + "id": 29, + "options": { + "legend": { + "calcs": [ + "mean", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(hubble_drop_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])) by (source, reason) > 0", + "legendFormat": "{{source}}: {{reason}}", + "range": true, + "refId": "A" + } + ], + "title": "Network Policy drops by source", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "pps" + }, + "overrides": [ + { + "__systemRef": "hideSeriesFrom", + "matcher": { + "id": "byNames", + "options": { + "mode": "exclude", + "names": [ + "kube-dns-7d44cdb5d5-g85vg: UNSUPPORTED_PROTOCOL_FOR_NAT_MASQUERADE" + ], + "prefix": "All except:", + "readOnly": true + } + }, + "properties": [ + { + "id": "custom.hideFrom", + "value": { + "legend": false, + "tooltip": false, + "viz": true + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 30 + }, + "id": 30, + "options": { + "legend": { + "calcs": [ + "mean", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(hubble_drop_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])) by (destination, reason) > 0", + "legendFormat": "{{destination}}: {{reason}}", + "range": true, + "refId": "A" + } + ], + "title": "Network Policy drops by destination", + "type": "timeseries" + } + ], + "refresh": "", + "revision": 1, + "schemaVersion": 38, + "style": "dark", + "tags": [ + "kubecon-demo" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "default", + "value": "default" + }, + "hide": 0, + "includeAll": false, + "label": "Data Source", + "multi": false, + "name": "prometheus_datasource", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "(?!grafanacloud-usage|grafanacloud-ml-metrics).+", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(cilium_version, cluster)", + "hide": 0, + "includeAll": true, + "multi": true, + "name": "cluster", + "options": [], + "query": { + "query": "label_values(cilium_version, cluster)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "allValue": ".*", + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(source_namespace)", + "hide": 0, + "includeAll": true, + "label": "Source Namespace", + "multi": true, + "name": "source_namespace", + "options": [], + "query": { + "query": "label_values(source_namespace)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "allValue": ".*", + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(destination_namespace)", + "hide": 0, + "includeAll": true, + "label": "Destination Namespace", + "multi": true, + "name": "destination_namespace", + "options": [], + "query": { + "query": "label_values(destination_namespace)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Hubble / Network Overview (Namespace)", + "uid": "nlsO8tYVz", + "version": 18, + "weekStart": "" + } + \ No newline at end of file diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrole.yaml index 89e604a7..9ccf2192 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrole.yaml @@ -6,6 +6,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: @@ -82,6 +86,9 @@ rules: resources: - ciliumloadbalancerippools - ciliumbgppeeringpolicies + - ciliumbgpnodeconfigs + - ciliumbgpadvertisements + - ciliumbgppeerconfigs - ciliumclusterwideenvoyconfigs - ciliumclusterwidenetworkpolicies - ciliumegressgatewaypolicies @@ -137,6 +144,7 @@ rules: - ciliumendpoints/status - ciliumendpoints - ciliuml2announcementpolicies/status + - ciliumbgpnodeconfigs/status verbs: - patch {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml index ecc32441..34b0a58b 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cilium + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml index 291f4a34..144025e0 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml @@ -16,6 +16,10 @@ kind: DaemonSet metadata: name: cilium namespace: {{ .Release.Namespace }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: cilium app.kubernetes.io/part-of: cilium @@ -49,6 +53,7 @@ spec: cilium.io/cilium-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-configmap.yaml") . | sha256sum | quote }} {{- end }} {{- if not .Values.securityContext.privileged }} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} # Set app AppArmor's profile to "unconfined". The value of this annotation # can be modified as long users know which profiles they have available # in AppArmor. @@ -59,6 +64,7 @@ spec: container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: "unconfined" {{- end }} {{- end }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -77,6 +83,11 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- /* K8s version lower than 1.30.0 don't support the "appArmorProfile" field, */}} + {{- /* thus we have to remove it. */}} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} + {{- $_ := unset .Values.podSecurityContext "appArmorProfile" }} + {{- end }} {{- with .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} @@ -128,6 +139,7 @@ spec: failureThreshold: {{ .Values.startupProbe.failureThreshold }} periodSeconds: {{ .Values.startupProbe.periodSeconds }} successThreshold: 1 + initialDelaySeconds: 5 {{- end }} livenessProbe: {{- if or .Values.keepDeprecatedProbes $defaultKeepDeprecatedProbes }} @@ -196,6 +208,11 @@ spec: fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: '1' {{- if .Values.k8sServiceHost }} - name: KUBERNETES_SERVICE_HOST value: {{ .Values.k8sServiceHost | quote }} @@ -371,6 +388,11 @@ spec: mountPropagation: {{ .mountPropagation }} {{- end }} {{- end }} + {{- if .Values.hubble.export.dynamic.enabled }} + - name: hubble-flowlog-config + mountPath: /flowlog-config + readOnly: true + {{- end }} {{- with .Values.extraVolumeMounts }} {{- toYaml . | nindent 8 }} {{- end }} @@ -387,7 +409,7 @@ spec: for i in {1..5}; do \ [ -S /var/run/cilium/monitor1_2.sock ] && break || sleep 10;\ done; \ - cilium monitor + cilium-dbg monitor {{- range $type := .Values.monitor.eventTypes -}} {{ " " }}--type={{ $type }} {{- end }} @@ -411,7 +433,7 @@ spec: image: {{ include "cilium.image" .Values.image | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: - - cilium + - cilium-dbg - build-config {{- if (not (kindIs "invalid" .Values.daemon.configSources)) }} - "--source={{.Values.daemon.configSources}}" @@ -422,6 +444,9 @@ spec: {{- if (not (kindIs "invalid" .Values.daemon.blockedConfigOverrides)) }} - "--deny-config-keys={{.Values.daemon.blockedConfigOverrides}}" {{- end }} + {{- if .Values.kubeConfigPath }} + - "--k8s-kubeconfig-path={{ .Values.kubeConfigPath }}" + {{- end }} env: - name: K8S_NODE_NAME valueFrom: @@ -447,6 +472,11 @@ spec: volumeMounts: - name: tmp mountPath: /tmp + {{- if .Values.kubeConfigPath }} + - name: kube-config + mountPath: {{ .Values.kubeConfigPath }} + readOnly: true + {{- end }} {{- with .Values.extraVolumeMounts }} {{- toYaml . | nindent 8 }} {{- end }} @@ -612,6 +642,12 @@ spec: name: cilium-config key: clean-cilium-bpf-state optional: true + - name: WRITE_CNI_CONF_WHEN_READY + valueFrom: + configMapKeyRef: + name: cilium-config + key: write-cni-conf-when-ready + optional: true {{- if .Values.k8sServiceHost }} - name: KUBERNETES_SERVICE_HOST value: {{ .Values.k8sServiceHost | quote }} @@ -659,7 +695,7 @@ spec: resources: {{- toYaml . | trim | nindent 10 }} {{- end }} - {{- if and .Values.waitForKubeProxy (ne $kubeProxyReplacement "strict") }} + {{- if and .Values.waitForKubeProxy (and (ne (toString $kubeProxyReplacement) "strict") (ne (toString $kubeProxyReplacement) "true")) }} - name: wait-for-kube-proxy image: {{ include "cilium.image" .Values.image | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} @@ -703,10 +739,10 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} command: - "/install-plugin.sh" + {{- with .Values.cni.resources }} resources: - requests: - cpu: 100m - memory: 10Mi + {{- toYaml . | trim | nindent 10 }} + {{- end }} securityContext: {{- if .Values.securityContext.privileged }} privileged: true @@ -750,7 +786,7 @@ spec: tolerations: {{- toYaml . | trim | nindent 8 }} {{- end }} - {{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.config.enabled (not .Values.clustermesh.apiserver.kvstoremesh.enabled) }} + {{- if and .Values.clustermesh.config.enabled (not (and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.kvstoremesh.enabled )) }} hostAliases: {{- range $cluster := .Values.clustermesh.config.clusters }} {{- range $ip := $cluster.ips }} @@ -944,6 +980,12 @@ spec: path: client-ca.crt {{- end }} {{- end }} + {{- if .Values.hubble.export.dynamic.enabled }} + - name: hubble-flowlog-config + configMap: + name: {{ .Values.hubble.export.dynamic.config.configMapName }} + optional: true + {{- end }} {{- range .Values.extraHostPathMounts }} - name: {{ .name }} hostPath: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/dashboards-configmap.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/dashboards-configmap.yaml index 7f1ff7c5..6f19135d 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/dashboards-configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/dashboards-configmap.yaml @@ -15,9 +15,14 @@ metadata: {{- if $.Values.dashboards.label }} {{ $.Values.dashboards.label }}: {{ ternary $.Values.dashboards.labelValue "1" (not (empty $.Values.dashboards.labelValue)) | quote }} {{- end }} - {{- with $.Values.dashboards.annotations }} + {{- if or $.Values.dashboards.annotations $.Values.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with $.Values.dashboards.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $.Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} data: {{ $dashboardName }}.json: {{ $.Files.Get $path | toJson }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/role.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/role.yaml index abbf37d8..e4ad86d1 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/role.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/role.yaml @@ -5,6 +5,10 @@ kind: Role metadata: name: cilium-config-agent namespace: {{ .Release.Namespace }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: @@ -26,6 +30,10 @@ kind: Role metadata: name: cilium-ingress-secrets namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: @@ -46,6 +54,10 @@ kind: Role metadata: name: cilium-gateway-secrets namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: @@ -66,6 +78,30 @@ kind: Role metadata: name: cilium-envoy-config-secrets namespace: {{ .Values.envoyConfig.secretsNamespace.name | quote }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/part-of: cilium +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +{{- end}} + +{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create .Values.bgpControlPlane.enabled .Values.bgpControlPlane.secretsNamespace.name }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cilium-bgp-control-plane-secrets + namespace: {{ .Values.bgpControlPlane.secretsNamespace.name | quote }} labels: app.kubernetes.io/part-of: cilium rules: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml index ec8c5d80..cfa8697b 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml @@ -5,6 +5,10 @@ kind: RoleBinding metadata: name: cilium-config-agent namespace: {{ .Release.Namespace }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: @@ -24,6 +28,10 @@ kind: RoleBinding metadata: name: cilium-secrets namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: @@ -43,6 +51,10 @@ kind: RoleBinding metadata: name: cilium-gateway-secrets namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: @@ -62,6 +74,10 @@ kind: RoleBinding metadata: name: cilium-envoy-config-secrets namespace: {{ .Values.envoyConfig.secretsNamespace.name | quote }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: @@ -73,3 +89,22 @@ subjects: name: {{ .Values.serviceAccounts.cilium.name | quote }} namespace: {{ .Release.Namespace }} {{- end}} + +{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create .Values.bgpControlPlane.enabled .Values.bgpControlPlane.secretsNamespace.name}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cilium-bgp-control-plane-secrets + namespace: {{ .Values.bgpControlPlane.secretsNamespace.name | quote }} + labels: + app.kubernetes.io/part-of: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-bgp-control-plane-secrets +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccounts.cilium.name | quote }} + namespace: {{ .Release.Namespace }} +{{- end}} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/service.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/service.yaml index e0a55803..f6ec4951 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/service.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/service.yaml @@ -5,6 +5,10 @@ kind: Service metadata: name: cilium-agent namespace: {{ .Release.Namespace }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: cilium app.kubernetes.io/name: cilium-agent diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/serviceaccount.yaml index 605506f1..2c2cf399 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.cilium.name | quote }} namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAccounts.cilium.annotations }} + {{- if or .Values.serviceAccounts.cilium.annotations .Values.annotations }} annotations: - {{- toYaml .Values.serviceAccounts.cilium.annotations | nindent 4 }} + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.cilium.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml index 3beeacad..c2ffa66c 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml @@ -10,10 +10,15 @@ metadata: {{- with .Values.prometheus.serviceMonitor.labels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- if or .Values.prometheus.serviceMonitor.annotations .Values.annotations }} annotations: - {{- with .Values.prometheus.serviceMonitor.annotations }} - {{- toYaml . | nindent 4 }} + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.prometheus.serviceMonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} spec: selector: matchLabels: @@ -50,4 +55,7 @@ spec: {{- end }} targetLabels: - k8s-app +{{- if .Values.prometheus.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.prometheus.serviceMonitor.jobLabel | quote }} +{{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-ca-secret.yaml b/packages/system/cilium/charts/cilium/templates/cilium-ca-secret.yaml index 5a74f787..f2225b93 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-ca-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-ca-secret.yaml @@ -1,5 +1,5 @@ {{- if or - (and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") (not .Values.clustermesh.apiserver.tls.ca.cert)) + (and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm")) (and (or .Values.agent .Values.hubble.relay.enabled .Values.hubble.ui.enabled) .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm")) (and .Values.tls.ca.key .Values.tls.ca.cert) -}} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml b/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml index ca3d945c..9531ca18 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml @@ -1,6 +1,5 @@ {{- if and (.Values.agent) (not .Values.preflight.enabled) }} {{- /* Default values with backwards compatibility */ -}} -{{- $defaultEnableCnpStatusUpdates := "true" -}} {{- $defaultBpfMapDynamicSizeRatio := 0.0 -}} {{- $defaultBpfMasquerade := "false" -}} {{- $defaultBpfClockProbe := "false" -}} @@ -13,11 +12,12 @@ {{- $fragmentTracking := "true" -}} {{- $defaultKubeProxyReplacement := "false" -}} {{- $azureUsePrimaryAddress := "true" -}} +{{- $defaultK8sClientQPS := 5 -}} +{{- $defaultK8sClientBurst := 10 -}} {{- $defaultDNSProxyEnableTransparentMode := "false" -}} {{- /* Default values when 1.8 was initially deployed */ -}} {{- if semverCompare ">=1.8" (default "1.8" .Values.upgradeCompatibility) -}} - {{- $defaultEnableCnpStatusUpdates = "false" -}} {{- $defaultBpfMapDynamicSizeRatio = 0.0025 -}} {{- $defaultBpfMasquerade = "true" -}} {{- $defaultBpfClockProbe = "true" -}} @@ -78,6 +78,11 @@ {{- else if (not (kindIs "invalid" .Values.cni.chainingTarget)) -}} {{- $cniChainingMode = "generic-veth" -}} {{- end -}} + +{{- if semverCompare ">=1.27-0" .Capabilities.KubeVersion.Version -}} + {{- $defaultK8sClientQPS = 10 -}} + {{- $defaultK8sClientBurst = 20 -}} +{{- end -}} --- apiVersion: v1 kind: ConfigMap @@ -191,6 +196,11 @@ data: enable-policy: "{{ lower .Values.policyEnforcementMode }}" {{- end }} +{{- if hasKey .Values "policyCIDRMatchMode" }} + policy-cidr-match-mode: {{ join " " .Values.policyCIDRMatchMode | quote }} +{{- end}} + + {{- if .Values.prometheus.enabled }} # If you want metrics enabled in all of your Cilium agents, set the port for # which the Cilium agents will have their metrics exposed. @@ -207,6 +217,13 @@ data: {{ . }} {{- end }} {{- end }} + {{- if .Values.prometheus.controllerGroupMetrics }} + # A space-separated list of controller groups for which to enable metrics. + # The special values of "all" and "none" are supported. + controller-group-metrics: {{- range .Values.prometheus.controllerGroupMetrics }} + {{ . }} + {{- end }} + {{- end }} {{- end }} {{- if not .Values.envoy.enabled }} @@ -240,6 +257,7 @@ data: {{- if .Values.ingressController.enabled }} enable-ingress-controller: "true" enforce-ingress-https: {{ .Values.ingressController.enforceHttps | quote }} + enable-ingress-proxy-protocol: {{ .Values.ingressController.enableProxyProtocol | quote }} enable-ingress-secrets-sync: {{ .Values.ingressController.secretsNamespace.sync | quote }} ingress-secrets-namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} ingress-lb-annotation-prefixes: {{ .Values.ingressController.ingressLBAnnotationPrefixes | join " " | quote }} @@ -348,6 +366,11 @@ data: enable-host-legacy-routing: "true" {{- end }} +{{- if .Values.bpf.nodeMapMax }} + # node-map-max specifies the maximum number of entries for the node map. + bpf-node-map-max: {{ .Values.bpf.nodeMapMax | quote }} +{{- end }} + {{- if .Values.bpf.authMapMax }} # bpf-auth-map-max specifies the maximum number of entries in the auth map bpf-auth-map-max: {{ .Values.bpf.authMapMax | quote }} @@ -437,7 +460,6 @@ data: {{- end }} routing-mode: "native" enable-endpoint-routes: "true" - enable-local-node-route: "false" {{- else if .Values.aksbyocni.enabled }} {{- if ne (.Values.routingMode | default "tunnel") "tunnel" }} {{- fail (printf "RoutingMode must be set to tunnel when aksbyocni.enabled=true" )}} @@ -447,19 +469,9 @@ data: {{- else if .Values.routingMode }} routing-mode: {{ .Values.routingMode | quote }} {{- else }} - {{- if eq .Values.tunnel "disabled" }} - routing-mode: "native" - {{- else if eq .Values.tunnel "vxlan" }} - routing-mode: "tunnel" - tunnel-protocol: "vxlan" - {{- else if eq .Values.tunnel "geneve" }} - routing-mode: "tunnel" - tunnel-protocol: "geneve" - {{- else }} # Default case routing-mode: "tunnel" tunnel-protocol: "vxlan" - {{- end }} {{- end }} {{- if .Values.tunnelProtocol }} @@ -470,6 +482,10 @@ data: tunnel-port: {{ .Values.tunnelPort | quote }} {{- end }} +{{- if .Values.serviceNoBackendResponse }} + service-no-backend-response: "{{ .Values.serviceNoBackendResponse }}" +{{- end}} + {{- if .Values.MTU }} mtu: {{ .Values.MTU | quote }} {{- end }} @@ -508,7 +524,6 @@ data: {{- if .Values.azure.enabled }} enable-endpoint-routes: "true" auto-create-cilium-node-resource: "true" - enable-local-node-route: "false" {{- if .Values.azure.userAssignedIdentityID }} azure-user-assigned-identity-id: {{ .Values.azure.userAssignedIdentityID | quote }} {{- end }} @@ -559,6 +574,7 @@ data: {{- else if eq $defaultBpfMasquerade "true" }} enable-bpf-masquerade: {{ $defaultBpfMasquerade | quote }} {{- end }} + enable-masquerade-to-route-source: {{ .Values.enableMasqueradeRouteSource | quote }} {{- if hasKey .Values "egressMasqueradeInterfaces" }} egress-masquerade-interfaces: {{ .Values.egressMasqueradeInterfaces }} {{- end }} @@ -591,8 +607,8 @@ data: {{- if .Values.encryption.wireguard.userspaceFallback }} enable-wireguard-userspace-fallback: {{ .Values.encryption.wireguard.userspaceFallback | quote }} {{- end }} - {{- if .Values.encryption.wireguard.encapsulate }} - wireguard-encapsulate: {{ .Values.encryption.wireguard.encapsulate | quote }} + {{- if .Values.encryption.wireguard.persistentKeepalive }} + wireguard-persistent-keepalive: {{ .Values.encryption.wireguard.persistentKeepalive | quote }} {{- end }} {{- end }} {{- if .Values.encryption.nodeEncryption }} @@ -600,6 +616,14 @@ data: {{- end }} {{- end }} +{{- if .Values.encryption.strictMode.enabled }} + enable-encryption-strict-mode: {{ .Values.encryption.strictMode.enabled | quote }} + + encryption-strict-mode-cidr: {{ .Values.encryption.strictMode.cidr | quote }} + + encryption-strict-mode-allow-remote-node-identities: {{ .Values.encryption.strictMode.allowRemoteNodeIdentities | quote }} +{{- end }} + enable-xt-socket-fallback: {{ .Values.enableXTSocketFallback | quote }} {{- if or (.Values.azure.enabled) (.Values.eni.enabled) (.Values.gke.enabled) (ne $cniChainingMode "none") }} install-no-conntrack-iptables-rules: "false" @@ -701,6 +725,11 @@ data: {{- end }} {{- if hasKey .Values.nodePort "enableHealthCheck" }} enable-health-check-nodeport: {{ .Values.nodePort.enableHealthCheck | quote}} +{{- end }} +{{- if .Values.gke.enabled }} + enable-health-check-loadbalancer-ip: "true" +{{- else if hasKey .Values.nodePort "enableHealthCheckLoadBalancerIP" }} + enable-health-check-loadbalancer-ip: {{ .Values.nodePort.enableHealthCheckLoadBalancerIP | quote}} {{- end }} node-port-bind-protection: {{ .Values.nodePort.bindProtection | quote }} enable-auto-protect-node-port-range: {{ .Values.nodePort.autoProtectPortRange | quote }} @@ -836,7 +865,7 @@ data: {{- if .Values.hubble.enabled }} # Enable Hubble gRPC service. - enable-hubble: {{ .Values.hubble.enabled | quote }} + enable-hubble: {{ .Values.hubble.enabled | quote }} # UNIX domain socket for Hubble server to listen to. hubble-socket-path: {{ .Values.hubble.socketPath | quote }} {{- if hasKey .Values.hubble "eventQueueSize" }} @@ -860,6 +889,49 @@ data: {{- end }} enable-hubble-open-metrics: {{ .Values.hubble.metrics.enableOpenMetrics | quote }} {{- end }} +{{- if .Values.hubble.redact }} +{{- if eq .Values.hubble.redact.enabled true }} + # Enables hubble redact capabilities + hubble-redact-enabled: "true" +{{- if .Values.hubble.redact.http }} + # Enables redaction of the http URL query part in flows + hubble-redact-http-urlquery: {{ .Values.hubble.redact.http.urlQuery | quote }} + # Enables redaction of the http user info in flows + hubble-redact-http-userinfo: {{ .Values.hubble.redact.http.userInfo | quote }} +{{- if .Values.hubble.redact.http.headers }} +{{- if .Values.hubble.redact.http.headers.allow }} + # Redact all http headers that do not match this list + hubble-redact-http-headers-allow: {{- range .Values.hubble.redact.http.headers.allow }} + {{ . }} +{{- end }} +{{- end }} +{{- if .Values.hubble.redact.http.headers.deny }} + # Redact all http headers that match this list + hubble-redact-http-headers-deny: {{- range .Values.hubble.redact.http.headers.deny }} + {{ . }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- if .Values.hubble.redact.kafka }} + # Enables redaction of the Kafka API key part in flows + hubble-redact-kafka-apikey: {{ .Values.hubble.redact.kafka.apiKey | quote }} +{{- end }} +{{- end }} +{{- end }} +{{- if .Values.hubble.export }} + hubble-export-file-max-size-mb: {{ .Values.hubble.export.fileMaxSizeMb | quote }} + hubble-export-file-max-backups: {{ .Values.hubble.export.fileMaxBackups | quote }} +{{- if .Values.hubble.export.static.enabled }} + hubble-export-file-path: {{ .Values.hubble.export.static.filePath | quote }} + hubble-export-fieldmask: {{ .Values.hubble.export.static.fieldMask | join " " | quote }} + hubble-export-allowlist: {{ .Values.hubble.export.static.allowList | join "," | quote }} + hubble-export-denylist: {{ .Values.hubble.export.static.denyList | join "," | quote }} +{{- end }} +{{- if .Values.hubble.export.dynamic.enabled }} + hubble-flowlogs-config-path: /flowlog-config/flowlogs.yaml +{{- end }} +{{- end }} {{- if hasKey .Values.hubble "listenAddress" }} # An additional address for Hubble server to listen to (e.g. ":4244"). hubble-listen-address: {{ .Values.hubble.listenAddress | quote }} @@ -893,7 +965,7 @@ data: ipam-cilium-node-update-rate: {{ include "validateDuration" .Values.ipam.ciliumNodeUpdateRate | quote }} {{- end }} -{{- if or (eq $ipam "cluster-pool") (eq $ipam "cluster-pool-v2beta") }} +{{- if (eq $ipam "cluster-pool") }} {{- if .Values.ipv4.enabled }} {{- if hasKey .Values.ipam.operator "clusterPoolIPv4PodCIDR" }} {{- /* ipam.operator.clusterPoolIPv4PodCIDR removed in v1.14, remove this failsafe around v1.17 */ -}} @@ -935,11 +1007,8 @@ data: limit-ipam-api-qps: {{ .Values.ipam.operator.externalAPILimitQPS | quote }} {{- end }} -{{- if .Values.enableCnpStatusUpdates }} - disable-cnp-status-updates: "false" -{{- else if (eq $defaultEnableCnpStatusUpdates "false") }} - disable-cnp-status-updates: "true" - cnp-node-status-gc-interval: "0s" +{{- if .Values.apiRateLimit }} + api-rate-limit: {{ .Values.apiRateLimit | quote }} {{- end }} {{- if .Values.egressGateway.enabled }} @@ -971,10 +1040,6 @@ data: {{- end }} {{- end }} -{{- if .Values.enableK8sEventHandover }} - enable-k8s-event-handover: "true" -{{- end }} - {{- if .Values.crdWaitTimeout }} crd-wait-timeout: {{ include "validateDuration" .Values.crdWaitTimeout | quote }} {{- end }} @@ -1026,6 +1091,7 @@ data: {{- if .Values.bgpControlPlane.enabled }} enable-bgp-control-plane: "true" + bgp-secrets-namespace: {{ .Values.bgpControlPlane.secretsNamespace.name | quote }} {{- else }} enable-bgp-control-plane: "false" {{- end }} @@ -1072,10 +1138,8 @@ data: annotate-k8s-node: "true" {{- end }} -{{- if hasKey .Values "k8sClientRateLimit" }} - k8s-client-qps: {{ .Values.k8sClientRateLimit.qps | quote }} - k8s-client-burst: {{ .Values.k8sClientRateLimit.burst | quote }} -{{- end }} + k8s-client-qps: {{ .Values.k8sClientRateLimit.qps | default $defaultK8sClientQPS | quote}} + k8s-client-burst: {{ .Values.k8sClientRateLimit.burst | default $defaultK8sClientBurst | quote }} {{- if and .Values.operator.setNodeTaints (not .Values.operator.removeNodeTaints) -}} {{ fail "Cannot have operator.setNodeTaintsMaxNodes and not operator.removeNodeTaints = false" }} @@ -1136,10 +1200,6 @@ data: {{- end }} {{- end }} -{{- if .Values.extraConfig }} - {{ toYaml .Values.extraConfig | nindent 2 }} -{{- end }} - {{- if hasKey .Values "agentNotReadyTaintKey" }} agent-not-ready-taint-key: {{ .Values.agentNotReadyTaintKey | quote }} {{- end }} @@ -1153,6 +1213,7 @@ data: mesh-auth-mutual-enabled: "true" mesh-auth-mutual-listener-port: {{ .Values.authentication.mutual.port | quote }} mesh-auth-spire-agent-socket: {{ .Values.authentication.mutual.spire.agentSocketPath | quote }} + mesh-auth-mutual-connect-timeout: {{ include "validateDuration" .Values.authentication.mutual.connectTimeout | quote }} {{- if .Values.authentication.mutual.spire.serverAddress }} mesh-auth-spire-server-address: {{ .Values.authentication.mutual.spire.serverAddress | quote }} {{- else }} @@ -1163,9 +1224,12 @@ data: mesh-auth-spiffe-trust-domain: {{ .Values.authentication.mutual.spire.trustDomain | quote }} {{- end }} + proxy-xff-num-trusted-hops-ingress: {{ .Values.envoy.xffNumTrustedHopsL7PolicyIngress | quote }} + proxy-xff-num-trusted-hops-egress: {{ .Values.envoy.xffNumTrustedHopsL7PolicyEgress | quote }} proxy-connect-timeout: {{ .Values.envoy.connectTimeoutSeconds | quote }} proxy-max-requests-per-connection: {{ .Values.envoy.maxRequestsPerConnection | quote }} proxy-max-connection-duration-seconds: {{ .Values.envoy.maxConnectionDurationSeconds | quote }} + proxy-idle-timeout-seconds: {{ .Values.envoy.idleTimeoutDurationSeconds | quote }} external-envoy-proxy: {{ .Values.envoy.enabled | quote }} @@ -1173,6 +1237,16 @@ data: envoy-log: {{ .Values.envoy.log.path | quote }} {{- end }} +{{- if hasKey .Values.clustermesh "maxConnectedClusters" }} + max-connected-clusters: {{ .Values.clustermesh.maxConnectedClusters | quote }} +{{- end }} + +# Extra config allows adding arbitrary properties to the cilium config. +# By putting it at the end of the ConfigMap, it's also possible to override existing properties. +{{- if .Values.extraConfig }} + {{ toYaml .Values.extraConfig | nindent 2 }} +{{- end }} + {{- end }} --- {{- if and .Values.ipMasqAgent.enabled .Values.ipMasqAgent.config }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml b/packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml index 7aa0f046..990cf951 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml @@ -6,6 +6,10 @@ kind: ConfigMap metadata: name: cilium-envoy-config namespace: {{ .Release.Namespace }} + {{- with .Values.envoy.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} data: {{- (tpl (.Files.Glob "files/cilium-envoy/configmap/bootstrap-config.json").AsConfig .) | nindent 2 }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml b/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml index fcd5621b..30b9af0f 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml @@ -6,6 +6,10 @@ kind: DaemonSet metadata: name: cilium-envoy namespace: {{ .Release.Namespace }} + {{- with .Values.envoy.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: cilium-envoy app.kubernetes.io/part-of: cilium @@ -31,11 +35,13 @@ spec: cilium.io/cilium-envoy-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-envoy/configmap.yaml") . | sha256sum | quote }} {{- end }} {{- if not .Values.envoy.securityContext.privileged }} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} # Set app AppArmor's profile to "unconfined". The value of this annotation # can be modified as long users know which profiles they have available # in AppArmor. container.apparmor.security.beta.kubernetes.io/cilium-envoy: "unconfined" {{- end }} + {{- end }} {{- with .Values.envoy.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -52,6 +58,11 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- /* K8s version lower than 1.30.0 don't support the "appArmorProfile" field, */}} + {{- /* thus we have to remove it. */}} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} + {{- $_ := unset .Values.envoy.podSecurityContext "appArmorProfile" }} + {{- end }} {{- with .Values.envoy.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} @@ -65,7 +76,7 @@ spec: args: - '-c /var/run/cilium/envoy/bootstrap-config.json' - '--base-id 0' - {{- if and (hasKey .Values.debug "verbose") (.Values.debug.verbose) (has "envoy" ( splitList " " .Values.debug.verbose )) }} + {{- if and (.Values.debug.enabled) (hasKey .Values.debug "verbose") (.Values.debug.verbose) (has "envoy" ( splitList " " .Values.debug.verbose )) }} - '--log-level trace' {{- else if and (.Values.debug.enabled) (hasKey .Values.debug "verbose") (.Values.debug.verbose) (has "flow" ( splitList " " .Values.debug.verbose )) }} - '--log-level debug' @@ -89,6 +100,7 @@ spec: failureThreshold: {{ .Values.envoy.startupProbe.failureThreshold }} periodSeconds: {{ .Values.envoy.startupProbe.periodSeconds }} successThreshold: 1 + initialDelaySeconds: 5 {{- end }} livenessProbe: httpGet: @@ -175,6 +187,9 @@ spec: - name: envoy-sockets mountPath: /var/run/cilium/envoy/sockets readOnly: false + - name: envoy-artifacts + mountPath: /var/run/cilium/envoy/artifacts + readOnly: true - name: envoy-config mountPath: /var/run/cilium/envoy/ readOnly: true @@ -224,6 +239,10 @@ spec: hostPath: path: "{{ .Values.daemon.runPath }}/envoy/sockets" type: DirectoryOrCreate + - name: envoy-artifacts + hostPath: + path: "{{ .Values.daemon.runPath }}/envoy/artifacts" + type: DirectoryOrCreate - name: envoy-config configMap: name: cilium-envoy-config diff --git a/packages/system/cilium/charts/cilium/templates/cilium-envoy/service.yaml b/packages/system/cilium/charts/cilium/templates/cilium-envoy/service.yaml index f5c2a09b..d238c62e 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/service.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/service.yaml @@ -4,11 +4,16 @@ kind: Service metadata: name: cilium-envoy namespace: {{ .Release.Namespace }} - {{- if not .Values.envoy.prometheus.serviceMonitor.enabled }} + {{- if or (not .Values.envoy.prometheus.serviceMonitor.enabled) .Values.envoy.annotations }} annotations: + {{- if not .Values.envoy.prometheus.serviceMonitor.enabled }} prometheus.io/scrape: "true" prometheus.io/port: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port | quote }} {{- end }} + {{- with .Values.envoy.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} labels: k8s-app: cilium-envoy app.kubernetes.io/name: cilium-envoy diff --git a/packages/system/cilium/charts/cilium/templates/cilium-envoy/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/cilium-envoy/serviceaccount.yaml index 6094ba20..607dabca 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.envoy.name | quote }} namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAccounts.envoy.annotations }} + {{- if or .Values.serviceAccounts.envoy.annotations .Values.envoy.annotations }} annotations: - {{- toYaml .Values.serviceAccounts.envoy.annotations | nindent 4 }} + {{- with .Values.envoy.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.envoy.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml b/packages/system/cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml index 3f120b9d..10f84d82 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml @@ -11,10 +11,15 @@ metadata: {{- with .Values.envoy.prometheus.serviceMonitor.labels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- if or .Values.envoy.prometheus.serviceMonitor.annotations .Values.envoy.annotations }} annotations: - {{- with .Values.envoy.prometheus.serviceMonitor.annotations }} - {{- toYaml . | nindent 4 }} + {{- with .Values.envoy.annotations }} + {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.envoy.prometheus.serviceMonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} spec: selector: matchLabels: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-flowlog-configmap.yaml b/packages/system/cilium/charts/cilium/templates/cilium-flowlog-configmap.yaml new file mode 100644 index 00000000..8a1341e4 --- /dev/null +++ b/packages/system/cilium/charts/cilium/templates/cilium-flowlog-configmap.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.hubble.export.dynamic.enabled .Values.hubble.export.dynamic.config.createConfigMap }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.hubble.export.dynamic.config.configMapName }} + namespace: {{ .Release.Namespace }} +data: + flowlogs.yaml: | + flowLogs: +{{ .Values.hubble.export.dynamic.config.content | toYaml | indent 4 }} +{{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-gateway-api-class.yaml b/packages/system/cilium/charts/cilium/templates/cilium-gateway-api-class.yaml index 089649ff..74a78d8d 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-gateway-api-class.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-gateway-api-class.yaml @@ -1,6 +1,6 @@ {{- if .Values.gatewayAPI.enabled -}} -{{- if .Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1/GatewayClass" }} -apiVersion: gateway.networking.k8s.io/v1beta1 +{{- if .Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1/GatewayClass" }} +apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: name: cilium diff --git a/packages/system/cilium/charts/cilium/templates/cilium-nodeinit/daemonset.yaml b/packages/system/cilium/charts/cilium/templates/cilium-nodeinit/daemonset.yaml index 63de5715..3ed09268 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-nodeinit/daemonset.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-nodeinit/daemonset.yaml @@ -5,6 +5,10 @@ apiVersion: apps/v1 metadata: name: cilium-node-init namespace: {{ .Release.Namespace }} + {{- with .Values.nodeinit.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app: cilium-node-init app.kubernetes.io/part-of: cilium @@ -24,11 +28,13 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- if not .Values.securityContext.privileged }} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} # Set app AppArmor's profile to "unconfined". The value of this annotation # can be modified as long users know which profiles they have available # in AppArmor. container.apparmor.security.beta.kubernetes.io/node-init: "unconfined" {{- end }} + {{- end }} labels: app: cilium-node-init app.kubernetes.io/part-of: cilium @@ -41,6 +47,15 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- /* K8s version lower than 1.30.0 don't support the "appArmorProfile" field, */}} + {{- /* thus we have to remove it. */}} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} + {{- $_ := unset .Values.nodeinit.podSecurityContext "appArmorProfile" }} + {{- end }} + {{- with .Values.nodeinit.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: node-init image: {{ include "cilium.image" .Values.nodeinit.image | quote }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-nodeinit/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/cilium-nodeinit/serviceaccount.yaml index 806e3706..eb503ee9 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-nodeinit/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-nodeinit/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.nodeinit.name | quote }} namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAccounts.nodeinit.annotations }} + {{- if or .Values.serviceAccounts.nodeinit.annotations .Values.nodeinit.annotations }} annotations: - {{- toYaml .Values.serviceAccounts.nodeinit.annotations | nindent 4 }} + {{- with .Values.nodeinit.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.nodeinit.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrole.yaml index 862fac10..7e9080b5 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrole.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium-operator + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: @@ -157,6 +161,9 @@ rules: resources: - ciliumendpointslices - ciliumenvoyconfigs + - ciliumbgppeerconfigs + - ciliumbgpadvertisements + - ciliumbgpnodeconfigs verbs: - create - update @@ -183,6 +190,11 @@ rules: resourceNames: - ciliumloadbalancerippools.cilium.io - ciliumbgppeeringpolicies.cilium.io + - ciliumbgpclusterconfigs.cilium.io + - ciliumbgppeerconfigs.cilium.io + - ciliumbgpadvertisements.cilium.io + - ciliumbgpnodeconfigs.cilium.io + - ciliumbgpnodeconfigoverrides.cilium.io - ciliumclusterwideenvoyconfigs.cilium.io - ciliumclusterwidenetworkpolicies.cilium.io - ciliumegressgatewaypolicies.cilium.io @@ -203,6 +215,8 @@ rules: resources: - ciliumloadbalancerippools - ciliumpodippools + - ciliumbgpclusterconfigs + - ciliumbgpnodeconfigoverrides verbs: - get - list @@ -258,6 +272,7 @@ rules: - gateways - tlsroutes - httproutes + - grpcroutes - referencegrants - referencepolicies verbs: @@ -270,6 +285,7 @@ rules: - gatewayclasses/status - gateways/status - httproutes/status + - grpcroutes/status - tlsroutes/status verbs: - update diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrolebinding.yaml index a8a51bd4..f0d00e2e 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrolebinding.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cilium-operator + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/dashboards-configmap.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/dashboards-configmap.yaml index 37402bed..c4b90a27 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/dashboards-configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/dashboards-configmap.yaml @@ -15,9 +15,14 @@ metadata: {{- if $.Values.operator.dashboards.label }} {{ $.Values.operator.dashboards.label }}: {{ ternary $.Values.operator.dashboards.labelValue "1" (not (empty $.Values.operator.dashboards.labelValue)) | quote }} {{- end }} - {{- with $.Values.operator.dashboards.annotations }} + {{- if or $.Values.operator.dashboards.annotations $.Values.operator.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with $.Values.operator.dashboards.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $.Values.operator.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} data: {{ $dashboardName }}.json: {{ $.Files.Get $path | toJson }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/deployment.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/deployment.yaml index 44b1da2a..4f4450e5 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/deployment.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/deployment.yaml @@ -5,6 +5,10 @@ kind: Deployment metadata: name: cilium-operator namespace: {{ .Release.Namespace }} + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: io.cilium/app: operator name: cilium-operator diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/poddisruptionbudget.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/poddisruptionbudget.yaml index cb63aaf0..a224b9e6 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/poddisruptionbudget.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/poddisruptionbudget.yaml @@ -5,6 +5,10 @@ kind: PodDisruptionBudget metadata: name: cilium-operator namespace: {{ .Release.Namespace }} + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: io.cilium/app: operator name: cilium-operator diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/role.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/role.yaml index cf2526d9..20101b02 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/role.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/role.yaml @@ -5,6 +5,10 @@ kind: Role metadata: name: cilium-operator-ingress-secrets namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: @@ -26,6 +30,10 @@ kind: Role metadata: name: cilium-operator-gateway-secrets namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }} + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml index aa826906..8d8f73d8 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml @@ -5,6 +5,10 @@ kind: RoleBinding metadata: name: cilium-operator-ingress-secrets namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: @@ -24,6 +28,10 @@ kind: RoleBinding metadata: name: cilium-operator-gateway-secrets namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }} + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/secret.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/secret.yaml index 42096412..31e917ec 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/secret.yaml @@ -5,6 +5,10 @@ kind: Secret metadata: name: cilium-azure namespace: {{ .Release.Namespace }} + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: Opaque data: AZURE_CLIENT_ID: {{ default "" .Values.azure.clientID | b64enc | quote }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/service.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/service.yaml index 61514916..8c201099 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/service.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/service.yaml @@ -4,6 +4,10 @@ apiVersion: v1 metadata: name: cilium-operator namespace: {{ .Release.Namespace }} + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: io.cilium/app: operator name: cilium-operator diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/serviceaccount.yaml index 4bb3551c..b083907e 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/serviceaccount.yaml @@ -8,8 +8,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.operator.name | quote }} namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAccounts.operator.annotations }} + {{- if or .Values.serviceAccounts.operator.annotations .Values.operator.annotations }} annotations: - {{- toYaml .Values.serviceAccounts.operator.annotations | nindent 4 }} + {{- with .Values.operator.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.operator.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/servicemonitor.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/servicemonitor.yaml index a3edaec5..742993b8 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/servicemonitor.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/servicemonitor.yaml @@ -10,10 +10,15 @@ metadata: {{- with .Values.operator.prometheus.serviceMonitor.labels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- if or .Values.operator.prometheus.serviceMonitor.annotations .Values.operator.annotations }} annotations: - {{- with .Values.operator.prometheus.serviceMonitor.annotations }} - {{- toYaml . | nindent 4 }} + {{- with .Values.operator.annotations }} + {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.operator.prometheus.serviceMonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} spec: selector: matchLabels: @@ -37,4 +42,7 @@ spec: {{- end }} targetLabels: - io.cilium/app +{{- if .Values.operator.prometheus.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.operator.prometheus.serviceMonitor.jobLabel | quote }} +{{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrole.yaml index 379814c8..d2a8f4ca 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrole.yaml @@ -6,6 +6,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium-pre-flight + {{- with .Values.preflight.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: @@ -82,6 +86,9 @@ rules: resources: - ciliumloadbalancerippools - ciliumbgppeeringpolicies + - ciliumbgpnodeconfigs + - ciliumbgpadvertisements + - ciliumbgppeerconfigs - ciliumclusterwideenvoyconfigs - ciliumclusterwidenetworkpolicies - ciliumegressgatewaypolicies @@ -137,6 +144,7 @@ rules: - ciliumendpoints/status - ciliumendpoints - ciliuml2announcementpolicies/status + - ciliumbgpnodeconfigs/status verbs: - patch {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrolebinding.yaml index ef5be1de..1237d6ac 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrolebinding.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cilium-pre-flight + {{- with .Values.preflight.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-preflight/daemonset.yaml b/packages/system/cilium/charts/cilium/templates/cilium-preflight/daemonset.yaml index a5e34f3d..bafd2700 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-preflight/daemonset.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-preflight/daemonset.yaml @@ -4,6 +4,10 @@ kind: DaemonSet metadata: name: cilium-pre-flight-check namespace: {{ .Release.Namespace }} + {{- with .Values.preflight.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: selector: matchLabels: @@ -109,7 +113,7 @@ spec: args: - -ec - | - cilium preflight fqdn-poller --tofqdns-pre-cache {{ .Values.preflight.tofqdnsPreCache }}; + cilium-dbg preflight fqdn-poller --tofqdns-pre-cache {{ .Values.preflight.tofqdnsPreCache }}; touch /tmp/ready-tofqdns-precache; livenessProbe: exec: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-preflight/deployment.yaml b/packages/system/cilium/charts/cilium/templates/cilium-preflight/deployment.yaml index b4f542ea..af0a31ba 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-preflight/deployment.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-preflight/deployment.yaml @@ -4,6 +4,10 @@ kind: Deployment metadata: name: cilium-pre-flight-check namespace: {{ .Release.Namespace }} + {{- with .Values.preflight.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium app.kubernetes.io/name: cilium-pre-flight-check @@ -39,7 +43,7 @@ spec: args: - -ec - | - cilium preflight validate-cnp; + cilium-dbg preflight validate-cnp; touch /tmp/ready-validate-cnp; sleep 1h; livenessProbe: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-preflight/poddisruptionbudget.yaml b/packages/system/cilium/charts/cilium/templates/cilium-preflight/poddisruptionbudget.yaml index d939a9a2..4b3c7cb0 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-preflight/poddisruptionbudget.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-preflight/poddisruptionbudget.yaml @@ -5,6 +5,10 @@ kind: PodDisruptionBudget metadata: name: cilium-pre-flight-check namespace: {{ .Release.Namespace }} + {{- with .Values.preflight.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: cilium-pre-flight-check-deployment app.kubernetes.io/part-of: cilium diff --git a/packages/system/cilium/charts/cilium/templates/cilium-preflight/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/cilium-preflight/serviceaccount.yaml index a55aaa40..b64a3296 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-preflight/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-preflight/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.preflight.name | quote }} namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAccounts.preflight.annotations }} + {{- if or .Values.serviceAccounts.preflight.annotations .Values.preflight.annotations }} annotations: - {{ toYaml .Values.serviceAccounts.preflight.annotations | nindent 4 }} + {{- with .Values.preflight.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.preflight.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-secrets-namespace.yaml b/packages/system/cilium/charts/cilium/templates/cilium-secrets-namespace.yaml index 6e1aa43d..d99967fa 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-secrets-namespace.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-secrets-namespace.yaml @@ -1,32 +1,14 @@ -{{- if and .Values.ingressController.enabled .Values.ingressController.secretsNamespace.create .Values.ingressController.secretsNamespace.name }} ---- -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Values.ingressController.secretsNamespace.name | quote }} -{{- end}} +{{- $secretNamespaces := dict -}} +{{- range $cfg := tuple .Values.ingressController .Values.gatewayAPI .Values.envoyConfig .Values.bgpControlPlane -}} +{{- if and $cfg.enabled $cfg.secretsNamespace.create $cfg.secretsNamespace.name -}} +{{- $_ := set $secretNamespaces $cfg.secretsNamespace.name 1 -}} +{{- end -}} +{{- end -}} -# Only create the namespace if it's different from Ingress secret namespace or Ingress is not enabled. -{{- if and .Values.gatewayAPI.enabled .Values.gatewayAPI.secretsNamespace.create .Values.gatewayAPI.secretsNamespace.name - (or (not (and .Values.ingressController.enabled .Values.ingressController.secretsNamespace.create .Values.ingressController.secretsNamespace.name)) - (ne .Values.gatewayAPI.secretsNamespace.name .Values.ingressController.secretsNamespace.name)) }} +{{- range $name, $_ := $secretNamespaces }} --- apiVersion: v1 kind: Namespace metadata: - name: {{ .Values.gatewayAPI.secretsNamespace.name | quote }} -{{- end}} - -# Only create the namespace if it's different from Ingress and Gateway API secret namespaces (if enabled). -{{- if and .Values.envoyConfig.enabled .Values.envoyConfig.secretsNamespace.create .Values.envoyConfig.secretsNamespace.name - (and - (or (not (and .Values.ingressController.enabled .Values.ingressController.secretsNamespace.create .Values.ingressController.secretsNamespace.name)) - (ne .Values.envoyConfig.secretsNamespace.name .Values.ingressController.secretsNamespace.name)) - (or (not (and .Values.gatewayAPI.enabled .Values.gatewayAPI.secretsNamespace.create .Values.gatewayAPI.secretsNamespace.name)) - (ne .Values.envoyConfig.secretsNamespace.name .Values.gatewayAPI.secretsNamespace.name))) }} ---- -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Values.envoyConfig.secretsNamespace.name | quote }} + name: {{ $name | quote }} {{- end}} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml index c00c8a51..c5df0163 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml @@ -5,6 +5,10 @@ metadata: name: clustermesh-apiserver labels: app.kubernetes.io/part-of: cilium + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} rules: - apiGroups: - cilium.io diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml index 8ef03cb2..edc3cf9c 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml @@ -5,6 +5,10 @@ metadata: name: clustermesh-apiserver labels: app.kubernetes.io/part-of: cilium + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/deployment.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/deployment.yaml index 7783a9e5..6c5e6c3e 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/deployment.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/deployment.yaml @@ -7,6 +7,10 @@ kind: Deployment metadata: name: clustermesh-apiserver namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: clustermesh-apiserver app.kubernetes.io/part-of: cilium @@ -44,41 +48,45 @@ spec: {{- end }} initContainers: - name: etcd-init - image: {{ include "cilium.image" .Values.clustermesh.apiserver.etcd.image | quote }} - imagePullPolicy: {{ .Values.clustermesh.apiserver.etcd.image.pullPolicy }} - command: ["/bin/sh", "-c"] + image: {{ include "cilium.image" .Values.clustermesh.apiserver.image | quote }} + imagePullPolicy: {{ .Values.clustermesh.apiserver.image.pullPolicy }} + command: + - /usr/bin/clustermesh-apiserver args: - - | - rm -rf /var/run/etcd/*; - /usr/local/bin/etcd --data-dir=/var/run/etcd --name=clustermesh-apiserver --listen-client-urls=http://127.0.0.1:2379 --advertise-client-urls=http://127.0.0.1:2379 --initial-cluster-token=clustermesh-apiserver --initial-cluster-state=new --auto-compaction-retention=1 & - - # The following key needs to be created before that the cilium agents - # have the possibility of connecting to etcd. - etcdctl put cilium/.has-cluster-config true - - etcdctl user add root --no-password; - etcdctl user grant-role root root; - etcdctl user add admin-{{ .Values.cluster.name }} --no-password; - etcdctl user grant-role admin-{{ .Values.cluster.name }} root; - etcdctl user add externalworkload --no-password; - etcdctl role add externalworkload; - etcdctl role grant-permission externalworkload --from-key read ''; - etcdctl role grant-permission externalworkload readwrite --prefix cilium/state/noderegister/v1/; - etcdctl role grant-permission externalworkload readwrite --prefix cilium/.initlock/; - etcdctl user grant-role externalworkload externalworkload; - etcdctl user add remote --no-password; - etcdctl role add remote; - etcdctl role grant-permission remote --from-key read ''; - etcdctl user grant-role remote remote; - etcdctl auth enable; - exit + - etcdinit + {{- if .Values.debug.enabled }} + - --debug + {{- end }} + # These need to match the equivalent arguments to etcd in the main container. + - --etcd-cluster-name=clustermesh-apiserver + - --etcd-initial-cluster-token=$(INITIAL_CLUSTER_TOKEN) + - --etcd-data-dir=/var/run/etcd + {{- with .Values.clustermesh.apiserver.etcd.init.extraArgs }} + {{- toYaml . | trim | nindent 8 }} + {{- end }} env: - - name: ETCDCTL_API - value: "3" - - name: HOSTNAME_IP + # The Cilium cluster name (specified via the `CILIUM_CLUSTER_NAME` environment variable) and the etcd cluster + # name (specified via the `--etcd-cluster-name` argument) are very different concepts. The Cilium cluster name + # is the name of the overall Cilium cluster, and is used to set the admin account username. The etcd cluster + # name is a concept that's only relevant for etcd itself. The etcd cluster name must be the same for both this + # command and the actual invocation of etcd in the main containers of this Pod, but it's otherwise not + # relevant to Cilium. + - name: CILIUM_CLUSTER_NAME + valueFrom: + configMapKeyRef: + name: cilium-config + key: cluster-name + - name: INITIAL_CLUSTER_TOKEN valueFrom: fieldRef: - fieldPath: status.podIP + fieldPath: metadata.uid + {{- with .Values.clustermesh.apiserver.etcd.init.extraEnv }} + {{- toYaml . | trim | nindent 8 }} + {{- end }} + {{- with .Values.clustermesh.apiserver.etcd.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} volumeMounts: - name: etcd-data-dir mountPath: /var/run/etcd @@ -92,10 +100,11 @@ spec: {{- end }} containers: - name: etcd - image: {{ include "cilium.image" .Values.clustermesh.apiserver.etcd.image | quote }} - imagePullPolicy: {{ .Values.clustermesh.apiserver.etcd.image.pullPolicy }} + # The clustermesh-apiserver container image includes an etcd binary. + image: {{ include "cilium.image" .Values.clustermesh.apiserver.image | quote }} + imagePullPolicy: {{ .Values.clustermesh.apiserver.image.pullPolicy }} command: - - /usr/local/bin/etcd + - /usr/bin/etcd args: - --data-dir=/var/run/etcd - --name=clustermesh-apiserver @@ -107,7 +116,7 @@ spec: # uses net.SplitHostPort() internally and it accepts the that format. - --listen-client-urls=https://127.0.0.1:2379,https://[$(HOSTNAME_IP)]:2379 - --advertise-client-urls=https://[$(HOSTNAME_IP)]:2379 - - --initial-cluster-token=clustermesh-apiserver + - --initial-cluster-token=$(INITIAL_CLUSTER_TOKEN) - --auto-compaction-retention=1 {{- if .Values.clustermesh.apiserver.metrics.etcd.enabled }} - --listen-metrics-urls=http://[$(HOSTNAME_IP)]:{{ .Values.clustermesh.apiserver.metrics.etcd.port }} @@ -120,6 +129,10 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP + - name: INITIAL_CLUSTER_TOKEN + valueFrom: + fieldRef: + fieldPath: metadata.uid ports: - name: etcd containerPort: 2379 @@ -147,12 +160,17 @@ spec: securityContext: {{- toYaml . | nindent 10 }} {{- end }} + {{- with .Values.clustermesh.apiserver.etcd.lifecycle }} + lifecycle: + {{- toYaml . | nindent 10 }} + {{- end }} - name: apiserver image: {{ include "cilium.image" .Values.clustermesh.apiserver.image | quote }} imagePullPolicy: {{ .Values.clustermesh.apiserver.image.pullPolicy }} command: - /usr/bin/clustermesh-apiserver args: + - clustermesh {{- if .Values.debug.enabled }} - --debug {{- end }} @@ -160,6 +178,9 @@ spec: - --cluster-id=$(CLUSTER_ID) - --kvstore-opt - etcd.config=/var/lib/cilium/etcd-config.yaml + {{- if hasKey .Values.clustermesh "maxConnectedClusters" }} + - --max-connected-clusters={{ .Values.clustermesh.maxConnectedClusters }} + {{- end }} {{- if ne .Values.clustermesh.apiserver.tls.authMode "legacy" }} - --cluster-users-enabled - --cluster-users-config-path=/var/lib/cilium/etcd-config/users.yaml @@ -167,6 +188,7 @@ spec: - --enable-external-workloads={{ .Values.externalWorkloads.enabled }} {{- if .Values.clustermesh.apiserver.metrics.enabled }} - --prometheus-serve-addr=:{{ .Values.clustermesh.apiserver.metrics.port }} + - --controller-group-metrics=all {{- end }} {{- with .Values.clustermesh.apiserver.extraArgs }} {{- toYaml . | trim | nindent 8 }} @@ -224,13 +246,18 @@ spec: securityContext: {{- toYaml . | nindent 10 }} {{- end }} + {{- with .Values.clustermesh.apiserver.lifecycle }} + lifecycle: + {{- toYaml . | nindent 10 }} + {{- end }} {{- if .Values.clustermesh.apiserver.kvstoremesh.enabled }} - name: kvstoremesh - image: {{ include "cilium.image" .Values.clustermesh.apiserver.kvstoremesh.image | quote }} - imagePullPolicy: {{ .Values.clustermesh.apiserver.kvstoremesh.image.pullPolicy }} + image: {{ include "cilium.image" .Values.clustermesh.apiserver.image | quote }} + imagePullPolicy: {{ .Values.clustermesh.apiserver.image.pullPolicy }} command: - - /usr/bin/kvstoremesh + - /usr/bin/clustermesh-apiserver args: + - kvstoremesh {{- if .Values.debug.enabled }} - --debug {{- end }} @@ -240,8 +267,12 @@ spec: - --kvstore-opt=etcd.qps=100 - --kvstore-opt=etcd.maxInflight=10 - --clustermesh-config=/var/lib/cilium/clustermesh + {{- if hasKey .Values.clustermesh "maxConnectedClusters" }} + - --max-connected-clusters={{ .Values.clustermesh.maxConnectedClusters }} + {{- end }} {{- if .Values.clustermesh.apiserver.metrics.kvstoremesh.enabled }} - --prometheus-serve-addr=:{{ .Values.clustermesh.apiserver.metrics.kvstoremesh.port }} + - --controller-group-metrics=all {{- end }} {{- with .Values.clustermesh.apiserver.kvstoremesh.extraArgs }} {{- toYaml . | trim | nindent 8 }} @@ -285,6 +316,10 @@ spec: securityContext: {{- toYaml . | nindent 10 }} {{- end }} + {{- with .Values.clustermesh.apiserver.kvstoremesh.lifecycle }} + lifecycle: + {{- toYaml . | nindent 10 }} + {{- end }} {{- end }} volumes: - name: etcd-server-secrets @@ -371,6 +406,7 @@ spec: priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.clustermesh.apiserver.priorityClassName "system-cluster-critical") }} serviceAccount: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} + terminationGracePeriodSeconds: {{ .Values.clustermesh.apiserver.terminationGracePeriodSeconds }} automountServiceAccountToken: {{ .Values.serviceAccounts.clustermeshApiserver.automount }} {{- with .Values.clustermesh.apiserver.affinity }} affinity: diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/metrics-service.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/metrics-service.yaml index 63b50ace..0781af1e 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/metrics-service.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/metrics-service.yaml @@ -7,6 +7,10 @@ kind: Service metadata: name: clustermesh-apiserver-metrics namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: clustermesh-apiserver app.kubernetes.io/part-of: cilium diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml index 243e1b23..4a1bbf7e 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml @@ -5,6 +5,10 @@ kind: PodDisruptionBudget metadata: name: clustermesh-apiserver namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: clustermesh-apiserver app.kubernetes.io/part-of: cilium diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/service.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/service.yaml index 466841d9..0a7028c5 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/service.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/service.yaml @@ -8,9 +8,14 @@ metadata: k8s-app: clustermesh-apiserver app.kubernetes.io/part-of: cilium app.kubernetes.io/name: clustermesh-apiserver - {{- with .Values.clustermesh.apiserver.service.annotations }} + {{- if or .Values.clustermesh.apiserver.service.annotations .Values.clustermesh.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with .Values.clustermesh.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.clustermesh.apiserver.service.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} spec: type: {{ .Values.clustermesh.apiserver.service.type }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml index b6153c39..0c8992ba 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} namespace: {{ .Release.Namespace }} - {{- with .Values.serviceAccounts.clustermeshApiserver.annotations }} + {{- if or .Values.serviceAccounts.clustermeshApiserver.annotations .Values.clustermesh.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with .Values.clustermesh.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.clustermeshApiserver.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/servicemonitor.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/servicemonitor.yaml index d5ba6420..8ecf150b 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/servicemonitor.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/servicemonitor.yaml @@ -14,10 +14,15 @@ metadata: {{- with .Values.clustermesh.apiserver.metrics.serviceMonitor.labels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- if or .Values.clustermesh.apiserver.metrics.serviceMonitor.annotations .Values.clustermesh.annotations }} annotations: - {{- with .Values.clustermesh.apiserver.metrics.serviceMonitor.annotations }} - {{- toYaml . | nindent 4 }} + {{- with .Values.clustermesh.annotations }} + {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.clustermesh.apiserver.metrics.serviceMonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} spec: selector: matchLabels: diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml index 3bc84ae1..097cb14e 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml @@ -5,6 +5,10 @@ kind: Certificate metadata: name: clustermesh-apiserver-admin-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: issuerRef: {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml index 3c2cf643..f290fe8e 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml @@ -5,6 +5,10 @@ kind: Certificate metadata: name: clustermesh-apiserver-client-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: issuerRef: {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml index 0a5e42e2..06bb8bd2 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml @@ -5,6 +5,10 @@ kind: Certificate metadata: name: clustermesh-apiserver-remote-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: issuerRef: {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml index 86fe56f5..f7cfd7ad 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml @@ -5,6 +5,10 @@ kind: Certificate metadata: name: clustermesh-apiserver-server-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: issuerRef: {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/_job-spec.tpl b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/_job-spec.tpl index 67503e33..52a99089 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/_job-spec.tpl +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/_job-spec.tpl @@ -26,12 +26,8 @@ spec: {{- end }} - "--ca-generate" - "--ca-reuse-secret" - {{- if .Values.clustermesh.apiserver.tls.ca.cert }} - - "--ca-secret-name=clustermesh-apiserver-ca-cert" - {{- else -}} - {{- if and .Values.tls.ca.cert .Values.tls.ca.key }} + {{- if and .Values.tls.ca.cert .Values.tls.ca.key }} - "--ca-secret-name=cilium-ca" - {{- end }} {{- end }} - "--clustermesh-apiserver-server-cert-generate" - "--clustermesh-apiserver-server-cert-validity-duration={{ $certValiditySecondsStr }}" @@ -69,5 +65,9 @@ spec: volumes: {{- toYaml . | nindent 6 }} {{- end }} + affinity: + {{- with .Values.certgen.affinity }} + {{- toYaml . | nindent 8 }} + {{- end }} ttlSecondsAfterFinished: {{ .Values.certgen.ttlSecondsAfterFinished }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/ca-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/ca-secret.yaml deleted file mode 100644 index 6f499cd8..00000000 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/ca-secret.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") }} -{{- $crt := .Values.clustermesh.apiserver.tls.ca.cert | default .Values.tls.ca.cert -}} -{{- $key := .Values.clustermesh.apiserver.tls.ca.key | default .Values.tls.ca.key -}} -{{- if and $crt $key }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: clustermesh-apiserver-ca-cert - namespace: {{ .Release.Namespace }} -data: - ca.crt: {{ $crt }} - ca.key: {{ $key }} -{{- end }} -{{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml index 7711bc93..946602b4 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml @@ -4,6 +4,10 @@ kind: CronJob metadata: name: clustermesh-apiserver-generate-certs namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: clustermesh-apiserver-generate-certs app.kubernetes.io/part-of: cilium diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml index 06235f29..b6dd5bf1 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml @@ -13,5 +13,8 @@ metadata: {{- with .Values.certgen.annotations.job }} {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.clustermesh.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{ include "clustermesh-apiserver-generate-certs.job.spec" . }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml index 0d0565a6..79960cba 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml @@ -4,6 +4,10 @@ kind: Role metadata: name: clustermesh-apiserver-generate-certs namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: @@ -19,7 +23,6 @@ rules: - secrets resourceNames: - cilium-ca - - clustermesh-apiserver-ca-cert verbs: - get - update diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml index 22fc3ed7..4e67e047 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml @@ -4,6 +4,10 @@ kind: RoleBinding metadata: name: clustermesh-apiserver-generate-certs namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml index a6f79a66..8dfaf52c 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.clustermeshcertgen.name | quote }} namespace: {{ .Release.Namespace }} - {{- with .Values.serviceAccounts.clustermeshcertgen.annotations }} + {{- if or .Values.serviceAccounts.clustermeshcertgen.annotations .Values.clustermesh.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with .Values.serviceAccounts.clustermeshcertgen.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.clustermesh.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/_helpers.tpl b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/_helpers.tpl deleted file mode 100644 index 576160f9..00000000 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/_helpers.tpl +++ /dev/null @@ -1,37 +0,0 @@ -{{/* -Generate TLS certificates for ClusterMesh. - -Note: Always use this template as follows: - - {{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} - -The assignment to `$_` is required because we store the generated CI in a global `cmca` variable. -Please, don't try to "simplify" this, as without this trick, every generated -certificate would be signed by a different CA. -*/}} -{{- define "clustermesh-apiserver-generate-certs.helm.setup-ca" }} - {{- if not .cmca }} - {{- $ca := "" -}} - {{- $crt := .Values.clustermesh.apiserver.tls.ca.cert | default .Values.tls.ca.cert -}} - {{- $key := .Values.clustermesh.apiserver.tls.ca.key | default .Values.tls.ca.key -}} - {{- if and $crt $key }} - {{- $ca = buildCustomCert $crt $key -}} - {{- else }} - {{- with lookup "v1" "Secret" .Release.Namespace "clustermesh-apiserver-ca-cert" }} - {{- $crt := index .data "ca.crt" }} - {{- $key := index .data "ca.key" }} - {{- $ca = buildCustomCert $crt $key -}} - {{- else }} - {{- $_ := include "cilium.ca.setup" . -}} - {{- with lookup "v1" "Secret" .Release.Namespace .commonCASecretName }} - {{- $crt := index .data "ca.crt" }} - {{- $key := index .data "ca.key" }} - {{- $ca = buildCustomCert $crt $key -}} - {{- else }} - {{- $ca = .commonCA -}} - {{- end }} - {{- end }} - {{- end }} - {{- $_ := set . "cmca" $ca -}} - {{- end }} -{{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml index dfa1d987..63282c98 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml @@ -1,17 +1,21 @@ {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} -{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} +{{- $_ := include "cilium.ca.setup" . -}} {{- $cn := include "clustermesh-apiserver-generate-certs.admin-common-name" . -}} {{- $dns := list "localhost" }} -{{- $cert := genSignedCert $cn nil $dns (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .cmca -}} +{{- $cert := genSignedCert $cn nil $dns (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .commonCA -}} --- apiVersion: v1 kind: Secret metadata: name: clustermesh-apiserver-admin-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ .cmca.Cert | b64enc }} + ca.crt: {{ .commonCA.Cert | b64enc }} tls.crt: {{ $cert.Cert | b64enc }} tls.key: {{ $cert.Key | b64enc }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/ca-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/ca-secret.yaml deleted file mode 100644 index 832c6bb5..00000000 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/ca-secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} -{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} ---- -apiVersion: v1 -kind: Secret -metadata: - name: clustermesh-apiserver-ca-cert - namespace: {{ .Release.Namespace }} -data: - ca.crt: {{ .cmca.Cert | b64enc }} - ca.key: {{ .cmca.Key | b64enc }} -{{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/client-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/client-secret.yaml index fd943340..85137111 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/client-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/client-secret.yaml @@ -1,16 +1,20 @@ {{- if and .Values.externalWorkloads.enabled .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} -{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} +{{- $_ := include "cilium.ca.setup" . -}} {{- $cn := "externalworkload" }} -{{- $cert := genSignedCert $cn nil nil (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .cmca -}} +{{- $cert := genSignedCert $cn nil nil (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .commonCA -}} --- apiVersion: v1 kind: Secret metadata: name: clustermesh-apiserver-client-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ .cmca.Cert | b64enc }} + ca.crt: {{ .commonCA.Cert | b64enc }} tls.crt: {{ $cert.Cert | b64enc }} tls.key: {{ $cert.Key | b64enc }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml index 4a68c747..7bfb1c5a 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml @@ -1,16 +1,20 @@ {{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} -{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} +{{- $_ := include "cilium.ca.setup" . -}} {{- $cn := include "clustermesh-apiserver-generate-certs.remote-common-name" . -}} -{{- $cert := genSignedCert $cn nil nil (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .cmca -}} +{{- $cert := genSignedCert $cn nil nil (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .commonCA -}} --- apiVersion: v1 kind: Secret metadata: name: clustermesh-apiserver-remote-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ .cmca.Cert | b64enc }} + ca.crt: {{ .commonCA.Cert | b64enc }} tls.crt: {{ $cert.Cert | b64enc }} tls.key: {{ $cert.Key | b64enc }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml index beacb063..f958f353 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml @@ -1,18 +1,22 @@ {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} -{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} +{{- $_ := include "cilium.ca.setup" . -}} {{- $cn := "clustermesh-apiserver.cilium.io" }} {{- $ip := concat (list "127.0.0.1" "::1") .Values.clustermesh.apiserver.tls.server.extraIpAddresses }} {{- $dns := concat (list $cn "*.mesh.cilium.io" (printf "clustermesh-apiserver.%s.svc" .Release.Namespace)) .Values.clustermesh.apiserver.tls.server.extraDnsNames }} -{{- $cert := genSignedCert $cn $ip $dns (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .cmca -}} +{{- $cert := genSignedCert $cn $ip $dns (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .commonCA -}} --- apiVersion: v1 kind: Secret metadata: name: clustermesh-apiserver-server-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ .cmca.Cert | b64enc }} + ca.crt: {{ .commonCA.Cert | b64enc }} tls.crt: {{ $cert.Cert | b64enc }} tls.key: {{ $cert.Key | b64enc }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml index 4ff56ab2..de038ca8 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml @@ -4,9 +4,13 @@ kind: Secret metadata: name: clustermesh-apiserver-admin-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ .Values.clustermesh.apiserver.tls.ca.cert | default .Values.tls.ca.cert }} + ca.crt: {{ .Values.tls.ca.cert }} tls.crt: {{ .Values.clustermesh.apiserver.tls.admin.cert | required "missing clustermesh.apiserver.tls.admin.cert" }} tls.key: {{ .Values.clustermesh.apiserver.tls.admin.key | required "missing clustermesh.apiserver.tls.admin.key" }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/ca-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/ca-secret.yaml deleted file mode 100644 index 9b29a541..00000000 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/ca-secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) (not .Values.clustermesh.apiserver.tls.auto.enabled) }} -apiVersion: v1 -kind: Secret -metadata: - name: clustermesh-apiserver-ca-cert - namespace: {{ .Release.Namespace }} -data: - ca.crt: {{ .Values.clustermesh.apiserver.tls.ca.cert | default .Values.tls.ca.cert }} - {{- if .Values.clustermesh.apiserver.tls.ca.key | default .Values.tls.ca.key }} - ca.key: {{ .Values.clustermesh.apiserver.tls.ca.key | default .Values.tls.ca.key }} - {{- end }} -{{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/client-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/client-secret.yaml index 02a180ff..b8ea7b60 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/client-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/client-secret.yaml @@ -4,9 +4,13 @@ kind: Secret metadata: name: clustermesh-apiserver-client-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ .Values.clustermesh.apiserver.tls.ca.cert | default .Values.tls.ca.cert }} + ca.crt: {{ .Values.tls.ca.cert }} tls.crt: {{ .Values.clustermesh.apiserver.tls.client.cert | required "missing clustermesh.apiserver.tls.client.cert" }} tls.key: {{ .Values.clustermesh.apiserver.tls.client.key | required "missing clustermesh.apiserver.tls.client.key" }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml index 7850b332..8a253eb5 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml @@ -4,9 +4,13 @@ kind: Secret metadata: name: clustermesh-apiserver-remote-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ .Values.clustermesh.apiserver.tls.ca.cert | default .Values.tls.ca.cert }} + ca.crt: {{ .Values.tls.ca.cert }} tls.crt: {{ .Values.clustermesh.apiserver.tls.remote.cert | required "missing clustermesh.apiserver.tls.remote.cert" }} tls.key: {{ .Values.clustermesh.apiserver.tls.remote.key | required "missing clustermesh.apiserver.tls.remote.key" }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml index bb160d62..8c239b07 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml @@ -4,9 +4,13 @@ kind: Secret metadata: name: clustermesh-apiserver-server-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ .Values.clustermesh.apiserver.tls.ca.cert | default .Values.tls.ca.cert }} + ca.crt: {{ .Values.tls.ca.cert }} tls.crt: {{ .Values.clustermesh.apiserver.tls.server.cert | required "missing clustermesh.apiserver.tls.server.cert" }} tls.key: {{ .Values.clustermesh.apiserver.tls.server.key | required "missing clustermesh.apiserver.tls.server.key" }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/users-configmap.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/users-configmap.yaml index 7c278978..e1cbf95f 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/users-configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/users-configmap.yaml @@ -5,6 +5,10 @@ kind: ConfigMap metadata: name: clustermesh-remote-users namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium data: diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-config/_helpers.tpl b/packages/system/cilium/charts/cilium/templates/clustermesh-config/_helpers.tpl index f492275f..5cd31486 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-config/_helpers.tpl +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-config/_helpers.tpl @@ -1,8 +1,7 @@ {{- define "clustermesh-config-generate-etcd-cfg" }} {{- $cluster := index . 0 -}} {{- $domain := index . 1 -}} -{{- $hasCustomCACert := index . 2 -}} -{{- $override := index . 3 -}} +{{- $override := index . 2 -}} {{- /* The parenthesis around $cluster.tls are required, since it can be null: https://stackoverflow.com/a/68807258 */}} {{- $prefix := ternary "common-" (printf "%s." $cluster.name) (or (ne $override "") (empty ($cluster.tls).cert) (empty ($cluster.tls).key)) -}} @@ -14,7 +13,7 @@ endpoints: {{- else }} - https://{{ $cluster.address | required "missing clustermesh.apiserver.config.clusters.address" }}:{{ $cluster.port }} {{- end }} -{{- if $hasCustomCACert }} +{{- if not (empty ($cluster.tls).caCert) }} {{- /* The custom CA configuration takes effect only if a custom certificate and key are also set */}} trusted-ca-file: /var/lib/cilium/clustermesh/{{ $prefix }}etcd-client-ca.crt {{- else }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-config/clustermesh-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-config/clustermesh-secret.yaml index 36e23b4e..78ddecd9 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-config/clustermesh-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-config/clustermesh-secret.yaml @@ -1,19 +1,23 @@ -{{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.config.enabled }} +{{- if .Values.clustermesh.config.enabled }} --- apiVersion: v1 kind: Secret metadata: name: cilium-clustermesh namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} data: - {{- $override := ternary (printf "https://clustermesh-apiserver.%s.svc:2379" .Release.Namespace) "" $.Values.clustermesh.apiserver.kvstoremesh.enabled }} + {{- $kvstoremesh := and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.kvstoremesh.enabled }} + {{- $override := ternary (printf "https://clustermesh-apiserver.%s.svc:2379" .Release.Namespace) "" $kvstoremesh }} {{- range .Values.clustermesh.config.clusters }} - {{- $hasCustomCACert := or (.tls).caCert $.Values.clustermesh.apiserver.tls.ca.cert }} - {{ .name }}: {{ include "clustermesh-config-generate-etcd-cfg" (list . $.Values.clustermesh.config.domain $hasCustomCACert $override) | b64enc }} + {{ .name }}: {{ include "clustermesh-config-generate-etcd-cfg" (list . $.Values.clustermesh.config.domain $override) | b64enc }} {{- /* The parenthesis around .tls are required, since it can be null: https://stackoverflow.com/a/68807258 */}} {{- if and (eq $override "") (.tls).cert (.tls).key }} - {{- if $hasCustomCACert }} - {{ .name }}.etcd-client-ca.crt: {{ .tls.caCert | default $.Values.clustermesh.apiserver.tls.ca.cert }} + {{- if .tls.caCert }} + {{ .name }}.etcd-client-ca.crt: {{ .tls.caCert }} {{- end }} {{ .name }}.etcd-client.key: {{ .tls.key }} {{ .name }}.etcd-client.crt: {{ .tls.cert }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-config/kvstoremesh-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-config/kvstoremesh-secret.yaml index f79c4ade..91ae0320 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-config/kvstoremesh-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-config/kvstoremesh-secret.yaml @@ -5,14 +5,17 @@ kind: Secret metadata: name: cilium-kvstoremesh namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} data: {{- range .Values.clustermesh.config.clusters }} - {{- $hasCustomCACert := or (.tls).caCert $.Values.clustermesh.apiserver.tls.ca.cert }} - {{ .name }}: {{ include "clustermesh-config-generate-etcd-cfg" (list . $.Values.clustermesh.config.domain $hasCustomCACert "") | b64enc }} + {{ .name }}: {{ include "clustermesh-config-generate-etcd-cfg" (list . $.Values.clustermesh.config.domain "") | b64enc }} {{- /* The parenthesis around .tls are required, since it can be null: https://stackoverflow.com/a/68807258 */}} {{- if and (.tls).cert (.tls).key }} - {{- if $hasCustomCACert }} - {{ .name }}.etcd-client-ca.crt: {{ .tls.caCert | default $.Values.clustermesh.apiserver.tls.ca.cert }} + {{- if .tls.caCert }} + {{ .name }}.etcd-client-ca.crt: {{ .tls.caCert }} {{- end }} {{ .name }}.etcd-client.key: {{ .tls.key }} {{ .name }}.etcd-client.crt: {{ .tls.cert }} diff --git a/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrole.yaml index 2f0b6c22..22a81c2c 100644 --- a/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrole.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium-etcd-operator + {{- with .Values.etcd.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: diff --git a/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrolebinding.yaml index e9578f7f..25a92e10 100644 --- a/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrolebinding.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cilium-etcd-operator + {{- with .Values.etcd.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml b/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml index 914087f6..5946219f 100644 --- a/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml +++ b/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml @@ -9,6 +9,10 @@ metadata: app.kubernetes.io/part-of: cilium name: cilium-etcd-operator namespace: {{ .Release.Namespace }} + {{- with .Values.etcd.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: 1 selector: diff --git a/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-serviceaccount.yaml index 9bc0a3ea..7d7b765a 100644 --- a/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.etcd.name | quote }} namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAccounts.etcd.annotations }} + {{- if or .Values.serviceAccounts.etcd.annotations .Values.etcd.annotations }} annotations: -{{ toYaml .Values.serviceAccounts.etcd.annotations | indent 4 }} + {{- with .Values.etcd.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.etcd.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-clusterrole.yaml index 424498f6..72cb4e6e 100644 --- a/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-clusterrole.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: etcd-operator + {{- with .Values.etcd.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: diff --git a/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-clusterrolebinding.yaml index a56624d0..b729ea71 100644 --- a/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-clusterrolebinding.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: etcd-operator + {{- with .Values.etcd.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-serviceaccount.yaml index 278d9842..06ee39c1 100644 --- a/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: cilium-etcd-sa namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAccounts.etcd.annotations }} + {{- if or .Values.serviceAccounts.etcd.annotations .Values.etcd.annotations }} annotations: -{{ toYaml .Values.serviceAccounts.etcd.annotations | indent 4 }} + {{- with .Values.etcd.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.etcd.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/etcd-operator/poddisruptionbudget.yaml b/packages/system/cilium/charts/cilium/templates/etcd-operator/poddisruptionbudget.yaml index 72e0b835..5939b4ae 100644 --- a/packages/system/cilium/charts/cilium/templates/etcd-operator/poddisruptionbudget.yaml +++ b/packages/system/cilium/charts/cilium/templates/etcd-operator/poddisruptionbudget.yaml @@ -5,6 +5,10 @@ kind: PodDisruptionBudget metadata: name: cilium-etcd-operator namespace: {{ .Release.Namespace }} + {{- with .Values.etcd.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: io.cilium/app: etcd-operator name: cilium-etcd-operator diff --git a/packages/system/cilium/charts/cilium/templates/hubble-relay/configmap.yaml b/packages/system/cilium/charts/cilium/templates/hubble-relay/configmap.yaml index 0f5a037d..93f5b8d8 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-relay/configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-relay/configmap.yaml @@ -9,6 +9,10 @@ kind: ConfigMap metadata: name: hubble-relay-config namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.relay.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} data: config.yaml: | cluster-name: {{ .Values.cluster.name }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml b/packages/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml index c72d9af8..52b9eba5 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml @@ -4,6 +4,10 @@ kind: Deployment metadata: name: hubble-relay namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.relay.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: hubble-relay app.kubernetes.io/name: hubble-relay @@ -67,11 +71,26 @@ spec: protocol: TCP {{- end }} readinessProbe: - tcpSocket: - port: grpc + {{- include "hubble-relay.probe" . | nindent 12 }} + {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }} + # Starting from Kubernetes 1.20, we are using startupProbe instead + # of this field. + initialDelaySeconds: 5 + {{- end }} livenessProbe: - tcpSocket: - port: grpc + {{- include "hubble-relay.probe" . | nindent 12 }} + {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }} + # Starting from Kubernetes 1.20, we are using startupProbe instead + # of this field. + initialDelaySeconds: 60 + {{- end }} + {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }} + startupProbe: + # give the relay one minute to start up + {{- include "hubble-relay.probe" . | nindent 12 }} + failureThreshold: 20 + periodSeconds: 3 + {{- end }} {{- with .Values.hubble.relay.extraEnv }} env: {{- toYaml . | trim | nindent 12 }} @@ -166,3 +185,17 @@ spec: {{- toYaml . | nindent 6 }} {{- end }} {{- end }} + +{{- define "hubble-relay.probe" }} +{{- /* This distinction can be removed once we drop support for k8s 1.23 */}} +{{- if semverCompare ">=1.24-0" .Capabilities.KubeVersion.Version -}} +grpc: + port: 4222 +{{- else }} +exec: + command: + - grpc_health_probe + - -addr=localhost:4222 +{{- end }} +timeoutSeconds: 3 +{{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble-relay/metrics-service.yaml b/packages/system/cilium/charts/cilium/templates/hubble-relay/metrics-service.yaml index 5b7c99c9..1066c6c4 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-relay/metrics-service.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-relay/metrics-service.yaml @@ -5,6 +5,10 @@ apiVersion: v1 metadata: name: hubble-relay-metrics namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.relay.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: hubble-relay spec: diff --git a/packages/system/cilium/charts/cilium/templates/hubble-relay/poddisruptionbudget.yaml b/packages/system/cilium/charts/cilium/templates/hubble-relay/poddisruptionbudget.yaml index 8a90916a..4fd6da9b 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-relay/poddisruptionbudget.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-relay/poddisruptionbudget.yaml @@ -5,6 +5,10 @@ kind: PodDisruptionBudget metadata: name: hubble-relay namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.relay.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: hubble-relay app.kubernetes.io/name: hubble-relay diff --git a/packages/system/cilium/charts/cilium/templates/hubble-relay/service.yaml b/packages/system/cilium/charts/cilium/templates/hubble-relay/service.yaml index d995c419..39259473 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-relay/service.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-relay/service.yaml @@ -4,6 +4,10 @@ apiVersion: v1 metadata: name: hubble-relay namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.relay.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: hubble-relay app.kubernetes.io/name: hubble-relay diff --git a/packages/system/cilium/charts/cilium/templates/hubble-relay/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/hubble-relay/serviceaccount.yaml index f42bd1b0..cf56d631 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-relay/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-relay/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.relay.name | quote }} namespace: {{ .Release.Namespace }} - {{- with .Values.serviceAccounts.relay.annotations }} + {{- if or .Values.serviceAccounts.relay.annotations .Values.hubble.relay.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with .Values.hubble.relay.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.relay.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble-relay/servicemonitor.yaml b/packages/system/cilium/charts/cilium/templates/hubble-relay/servicemonitor.yaml index 0b9f1622..4e41fdf3 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-relay/servicemonitor.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-relay/servicemonitor.yaml @@ -8,10 +8,15 @@ metadata: {{- with .Values.hubble.relay.prometheus.serviceMonitor.labels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- if or .Values.hubble.relay.prometheus.serviceMonitor.annotations .Values.hubble.relay.annotations }} annotations: - {{- with .Values.hubble.relay.prometheus.serviceMonitor.annotations }} - {{- toYaml . | nindent 4 }} + {{- with .Values.hubble.relay.annotations }} + {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.hubble.relay.prometheus.serviceMonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} spec: selector: matchLabels: diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/_nginx.tpl b/packages/system/cilium/charts/cilium/templates/hubble-ui/_nginx.tpl index 3b409207..e787b5aa 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/_nginx.tpl +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/_nginx.tpl @@ -49,6 +49,13 @@ server { # double `/index.html` is required here try_files $uri $uri/ /index.html /index.html; } + + # Liveness probe + location /healthz { + access_log off; + add_header Content-Type text/plain; + return 200 'ok'; + } } } {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/hubble-ui/clusterrole.yaml index c3fa7809..5df709f7 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/clusterrole.yaml @@ -3,6 +3,10 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hubble-ui + {{- with .Values.hubble.ui.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/hubble-ui/clusterrolebinding.yaml index 16c688df..d091786b 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/clusterrolebinding.yaml @@ -3,6 +3,10 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hubble-ui + {{- with .Values.hubble.ui.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/configmap.yaml b/packages/system/cilium/charts/cilium/templates/hubble-ui/configmap.yaml index bbab253d..8b5f0141 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/configmap.yaml @@ -5,6 +5,10 @@ kind: ConfigMap metadata: name: hubble-ui-nginx namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.ui.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} data: nginx.conf: {{ include "hubble-ui.nginx.conf" . | trim | quote }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/deployment.yaml b/packages/system/cilium/charts/cilium/templates/hubble-ui/deployment.yaml index 9dfbcdb5..a7dd5cb8 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/deployment.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/deployment.yaml @@ -4,6 +4,10 @@ apiVersion: apps/v1 metadata: name: hubble-ui namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.ui.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: hubble-ui app.kubernetes.io/name: hubble-ui @@ -60,6 +64,14 @@ spec: env: {{- toYaml . | trim | nindent 12 }} {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + readinessProbe: + httpGet: + path: / + port: 8081 {{- with .Values.hubble.ui.frontend.resources }} resources: {{- toYaml . | trim | nindent 10 }} @@ -90,7 +102,7 @@ spec: - name: TLS_TO_RELAY_ENABLED value: "true" - name: TLS_RELAY_SERVER_NAME - value: ui.hubble-relay.cilium.io + value: {{ .Values.hubble.relay.tls.server.relayName }} - name: TLS_RELAY_CA_CERT_FILES value: /var/lib/hubble-ui/certs/hubble-relay-ca.crt - name: TLS_RELAY_CLIENT_CERT_FILE @@ -104,6 +116,18 @@ spec: {{- with .Values.hubble.ui.backend.extraEnv }} {{- toYaml . | trim | nindent 8 }} {{- end }} + {{- if .Values.hubble.ui.backend.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /healthz + port: 8090 + {{- end }} + {{- if .Values.hubble.ui.backend.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /healthz + port: 8090 + {{- end }} ports: - name: grpc containerPort: 8090 diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/ingress.yaml b/packages/system/cilium/charts/cilium/templates/hubble-ui/ingress.yaml index b48e2cb4..2c0ff7d3 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/ingress.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/ingress.yaml @@ -12,9 +12,14 @@ metadata: {{- with .Values.hubble.ui.ingress.labels }} {{- toYaml . | nindent 4 }} {{- end }} - {{- with .Values.hubble.ui.ingress.annotations }} + {{- if or .Values.hubble.ui.ingress.annotations .Values.hubble.ui.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with .Values.hubble.ui.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.hubble.ui.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} spec: {{- if .Values.hubble.ui.ingress.className }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/poddisruptionbudget.yaml b/packages/system/cilium/charts/cilium/templates/hubble-ui/poddisruptionbudget.yaml index 3108a493..af3b6705 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/poddisruptionbudget.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/poddisruptionbudget.yaml @@ -5,6 +5,10 @@ kind: PodDisruptionBudget metadata: name: hubble-ui namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.ui.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: hubble-ui app.kubernetes.io/name: hubble-ui diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/service.yaml b/packages/system/cilium/charts/cilium/templates/hubble-ui/service.yaml index 52eb6eec..a820b342 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/service.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/service.yaml @@ -4,9 +4,14 @@ apiVersion: v1 metadata: name: hubble-ui namespace: {{ .Release.Namespace }} - {{- if .Values.hubble.ui.service.annotations }} + {{- if or .Values.hubble.ui.service.annotations .Values.hubble.ui.annotations }} annotations: - {{- toYaml .Values.hubble.ui.service.annotations | nindent 4 }} + {{- with .Values.hubble.ui.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.hubble.ui.service.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} labels: k8s-app: hubble-ui diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/hubble-ui/serviceaccount.yaml index 28f6061c..dc02ea2b 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.ui.name | quote }} namespace: {{ .Release.Namespace }} - {{- with .Values.serviceAccounts.ui.annotations }} + {{- if or .Values.serviceAccounts.ui.annotations .Values.hubble.ui.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with .Values.hubble.ui.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.ui.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/dashboards-configmap.yaml b/packages/system/cilium/charts/cilium/templates/hubble/dashboards-configmap.yaml index c8453560..c668ebfd 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/dashboards-configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/dashboards-configmap.yaml @@ -15,9 +15,14 @@ metadata: {{- if $.Values.hubble.metrics.dashboards.label }} {{ $.Values.hubble.metrics.dashboards.label }}: {{ ternary $.Values.hubble.metrics.dashboards.labelValue "1" (not (empty $.Values.hubble.metrics.dashboards.labelValue)) | quote }} {{- end }} - {{- with $.Values.hubble.metrics.dashboards.annotations }} + {{- if or $.Values.hubble.metrics.dashboards.annotations $.Values.hubble.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with $.Values.hubble.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $.Values.hubble.metrics.dashboards.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} data: {{ $dashboardName }}.json: {{ $.Files.Get $path | toJson }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/metrics-service.yaml b/packages/system/cilium/charts/cilium/templates/hubble/metrics-service.yaml index 0c72c0de..ab5cfbab 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/metrics-service.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/metrics-service.yaml @@ -9,6 +9,9 @@ metadata: app.kubernetes.io/name: hubble app.kubernetes.io/part-of: cilium annotations: + {{- with .Values.hubble.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- with .Values.hubble.metrics.serviceAnnotations }} {{- toYaml . | nindent 4 }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/peer-service.yaml b/packages/system/cilium/charts/cilium/templates/hubble/peer-service.yaml index f54fa6c6..7ba56456 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/peer-service.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/peer-service.yaml @@ -4,6 +4,10 @@ kind: Service metadata: name: hubble-peer namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: cilium app.kubernetes.io/part-of: cilium diff --git a/packages/system/cilium/charts/cilium/templates/hubble/servicemonitor.yaml b/packages/system/cilium/charts/cilium/templates/hubble/servicemonitor.yaml index 27304ee8..3b3ba8ba 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/servicemonitor.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/servicemonitor.yaml @@ -9,10 +9,15 @@ metadata: {{- with .Values.hubble.metrics.serviceMonitor.labels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- if or .Values.hubble.metrics.serviceMonitor.annotations .Values.hubble.annotations }} annotations: - {{- with .Values.hubble.metrics.serviceMonitor.annotations }} - {{- toYaml . | nindent 4 }} + {{- with .Values.hubble.annotations }} + {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.hubble.metrics.serviceMonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} spec: selector: matchLabels: @@ -33,4 +38,7 @@ spec: metricRelabelings: {{- toYaml . | nindent 4 }} {{- end }} +{{- if .Values.hubble.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.hubble.metrics.serviceMonitor.jobLabel | quote }} +{{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml index 23bea64b..1dd96b18 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml @@ -5,6 +5,10 @@ kind: Certificate metadata: name: hubble-relay-client-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: issuerRef: {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml index 77f2800e..845b4fb8 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml @@ -5,6 +5,10 @@ kind: Certificate metadata: name: hubble-relay-server-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: issuerRef: {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml index 1ca815fb..5f202e10 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml @@ -6,6 +6,10 @@ kind: Certificate metadata: name: hubble-server-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: issuerRef: {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml index 88d59490..5006666e 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml @@ -5,6 +5,10 @@ kind: Certificate metadata: name: hubble-ui-client-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: issuerRef: {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl index f3d595b7..4bee347a 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl @@ -60,5 +60,9 @@ spec: volumes: {{- toYaml . | nindent 6 }} {{- end }} + affinity: + {{- with .Values.certgen.affinity }} + {{- toYaml . | nindent 8 }} + {{- end }} ttlSecondsAfterFinished: {{ .Values.certgen.ttlSecondsAfterFinished }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/clusterrole.yaml index dc075670..74d07831 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/clusterrole.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: hubble-generate-certs + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/clusterrolebinding.yaml index ebe60279..5938f16c 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/clusterrolebinding.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: hubble-generate-certs + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/cronjob.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/cronjob.yaml index 5a5992cf..fa996608 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/cronjob.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/cronjob.yaml @@ -8,10 +8,15 @@ metadata: k8s-app: hubble-generate-certs app.kubernetes.io/name: hubble-generate-certs app.kubernetes.io/part-of: cilium + {{- if or .Values.certgen.annotations.cronJob .Values.hubble.annotations }} annotations: - {{- with .Values.certgen.annotations.cronJob }} - {{- toYaml . | nindent 4 }} + {{- with .Values.hubble.annotations }} + {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.certgen.annotations.cronJob }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} spec: schedule: {{ .Values.hubble.tls.auto.schedule | quote }} concurrencyPolicy: Forbid diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/job.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/job.yaml index e748165a..9831fdc6 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/job.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/job.yaml @@ -14,5 +14,8 @@ metadata: {{- with .Values.certgen.annotations.job }} {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.hubble.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{ include "hubble-generate-certs.job.spec" . }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/serviceaccount.yaml index d538d67d..62a8de80 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.hubblecertgen.name | quote }} namespace: {{ .Release.Namespace }} - {{- with .Values.serviceAccounts.hubblecertgen.annotations }} + {{- if or .Values.serviceAccounts.hubblecertgen.annotations .Values.hubble.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with .Values.hubble.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.hubblecertgen.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml index 947565ea..e1d6e876 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml @@ -9,6 +9,10 @@ kind: Secret metadata: name: hubble-relay-client-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: ca.crt: {{ .ca.Cert | b64enc }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-server-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-server-secret.yaml index 2c2339d6..902c2be4 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-server-secret.yaml @@ -10,6 +10,10 @@ kind: Secret metadata: name: hubble-relay-server-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: ca.crt: {{ .ca.Cert | b64enc }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/server-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/server-secret.yaml index cc3c1d91..a05c3266 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/server-secret.yaml @@ -10,6 +10,10 @@ kind: Secret metadata: name: hubble-server-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: ca.crt: {{ .ca.Cert | b64enc }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/ui-client-certs.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/ui-client-certs.yaml index 90376d65..7b385b26 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/ui-client-certs.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/ui-client-certs.yaml @@ -9,6 +9,10 @@ kind: Secret metadata: name: hubble-ui-client-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: ca.crt: {{ .ca.Cert | b64enc }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml index 4a15f646..b1512ed2 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml @@ -4,6 +4,10 @@ kind: Secret metadata: name: hubble-relay-client-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: ca.crt: {{ .Values.tls.ca.cert }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml index 2038f785..07059143 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml @@ -4,6 +4,10 @@ kind: Secret metadata: name: hubble-relay-server-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: ca.crt: {{ .Values.tls.ca.cert }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/server-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/server-secret.yaml index ecc0bf07..f659a1fb 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/server-secret.yaml @@ -4,6 +4,10 @@ kind: Secret metadata: name: hubble-server-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: ca.crt: {{ .Values.tls.ca.cert }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml index 7ed9472d..ca7683a4 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml @@ -4,6 +4,10 @@ kind: Secret metadata: name: hubble-ui-client-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: ca.crt: {{ .Values.tls.ca.cert }} diff --git a/packages/system/cilium/charts/cilium/templates/spire/agent/clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/spire/agent/clusterrole.yaml index 57d7ae0d..90e2165d 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/agent/clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/agent/clusterrole.yaml @@ -3,6 +3,10 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} rules: # Required cluster role to allow spire-agent to query k8s API server - apiGroups: [ "" ] diff --git a/packages/system/cilium/charts/cilium/templates/spire/agent/clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/spire/agent/clusterrolebinding.yaml index f7290825..50fe9588 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/agent/clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/agent/clusterrolebinding.yaml @@ -4,6 +4,10 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} roleRef: kind: ClusterRole name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} diff --git a/packages/system/cilium/charts/cilium/templates/spire/agent/configmap.yaml b/packages/system/cilium/charts/cilium/templates/spire/agent/configmap.yaml index 21e1a70a..7d365ba6 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/agent/configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/agent/configmap.yaml @@ -4,6 +4,10 @@ kind: ConfigMap metadata: name: spire-agent namespace: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} data: agent.conf: | agent { diff --git a/packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml b/packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml index 3edda5d5..6c0bffe7 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml @@ -4,9 +4,14 @@ kind: DaemonSet metadata: name: spire-agent namespace: {{ .Values.authentication.mutual.spire.install.namespace }} - {{- with .Values.authentication.mutual.spire.install.server.annotations }} + {{- if or .Values.authentication.mutual.spire.install.server.annotations .Values.authentication.mutual.spire.annotations }} annotations: - {{- toYaml . | nindent 8 }} + {{- with .Values.authentication.mutual.spire.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.authentication.mutual.spire.install.server.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} labels: app: spire-agent @@ -36,7 +41,8 @@ spec: {{- end }} initContainers: - name: init - image: docker.io/library/busybox:1.35.0@sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b + image: {{ include "cilium.image" .Values.authentication.mutual.spire.install.initImage | quote }} + imagePullPolicy: {{ .Values.authentication.mutual.spire.install.initImage.pullPolicy }} command: - /bin/sh - -c @@ -44,7 +50,12 @@ spec: {{- tpl (.Files.Get "files/spire/wait-for-spire.bash") . | nindent 14 }} containers: - name: spire-agent + {{- if eq (typeOf .Values.authentication.mutual.spire.install.agent.image) "string" }} image: {{ .Values.authentication.mutual.spire.install.agent.image }} + {{- else }} + image: {{ include "cilium.image" .Values.authentication.mutual.spire.install.agent.image | quote }} + imagePullPolicy: {{ .Values.authentication.mutual.spire.install.agent.image.pullPolicy }} + {{- end }} args: ["-config", "/run/spire/config/agent.conf"] {{- with .Values.authentication.mutual.spire.install.agent.securityContext }} securityContext: diff --git a/packages/system/cilium/charts/cilium/templates/spire/agent/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/spire/agent/serviceaccount.yaml index f155b5e6..95f7e431 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/agent/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/agent/serviceaccount.yaml @@ -4,4 +4,8 @@ kind: ServiceAccount metadata: name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} namespace: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/spire/bundle-configmap.yaml b/packages/system/cilium/charts/cilium/templates/spire/bundle-configmap.yaml index 986e6604..389b8d58 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/bundle-configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/bundle-configmap.yaml @@ -4,4 +4,8 @@ kind: ConfigMap metadata: name: spire-bundle namespace: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/spire/namespace.yaml b/packages/system/cilium/charts/cilium/templates/spire/namespace.yaml index a0f3e23d..ccd38680 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/namespace.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/namespace.yaml @@ -1,6 +1,10 @@ -{{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled -}} +{{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled (not .Values.authentication.mutual.spire.install.existingNamespace) -}} apiVersion: v1 kind: Namespace metadata: name: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/clusterrole.yaml index 95cc911a..31bc2de1 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/clusterrole.yaml @@ -4,6 +4,10 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} rules: # ClusterRole to allow spire-server node attestor to query Token Review API - apiGroups: [ "authentication.k8s.io" ] diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/clusterrolebinding.yaml index aaefe4ff..4a04d80c 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/clusterrolebinding.yaml @@ -3,6 +3,10 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} roleRef: kind: ClusterRole name: spire-server diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/configmap.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/configmap.yaml index 9785c11e..d7347595 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/configmap.yaml @@ -4,6 +4,10 @@ kind: ConfigMap metadata: name: spire-server namespace: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} data: server.conf: | server { diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/role.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/role.yaml index 38e0b113..2d38fe14 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/role.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/role.yaml @@ -4,6 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} namespace: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} rules: # Role (namespace scoped) to be able to push certificate bundles to a configmap - apiGroups: [ "" ] diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/rolebinding.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/rolebinding.yaml index a3e18731..497bd60c 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/rolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/rolebinding.yaml @@ -4,6 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} namespace: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -18,6 +22,10 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }}-pod namespace: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/service.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/service.yaml index 31fee016..32288a44 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/service.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/service.yaml @@ -4,9 +4,14 @@ kind: Service metadata: name: spire-server namespace: {{ .Values.authentication.mutual.spire.install.namespace }} - {{- with .Values.authentication.mutual.spire.install.server.service.annotations }} + {{- if or .Values.authentication.mutual.spire.install.server.service.annotations .Values.authentication.mutual.spire.annotations }} annotations: - {{- toYaml . | nindent 8 }} + {{- with .Values.authentication.mutual.spire.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.authentication.mutual.spire.install.server.service.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- with .Values.authentication.mutual.spire.install.server.service.labels }} labels: diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/serviceaccount.yaml index 2d4aa4a3..cd365c89 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/serviceaccount.yaml @@ -4,4 +4,8 @@ kind: ServiceAccount metadata: name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} namespace: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml index 43c2c9ee..49ab9690 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml @@ -4,9 +4,14 @@ kind: StatefulSet metadata: name: spire-server namespace: {{ .Values.authentication.mutual.spire.install.namespace }} - {{- with .Values.authentication.mutual.spire.install.server.annotations }} + {{- if or .Values.authentication.mutual.spire.install.server.annotations .Values.authentication.mutual.spire.annotations }} annotations: - {{- toYaml . | nindent 8 }} + {{- with .Values.authentication.mutual.spire.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.authentication.mutual.spire.install.server.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} labels: app: spire-server @@ -29,20 +34,30 @@ spec: spec: serviceAccountName: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} shareProcessNamespace: true + {{- with .Values.authentication.mutual.spire.install.server.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} {{- if gt (len .Values.authentication.mutual.spire.install.server.initContainers) 0 }} initContainers: {{- toYaml .Values.authentication.mutual.spire.install.server.initContainers | nindent 8 }} {{- end }} containers: - name: cilium-init - image: docker.io/library/busybox:1.35.0@sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b + image: {{ include "cilium.image" .Values.authentication.mutual.spire.install.initImage | quote }} + imagePullPolicy: {{ .Values.authentication.mutual.spire.install.initImage.pullPolicy }} command: - /bin/sh - -c - | {{- tpl (.Files.Get "files/spire/init.bash") . | nindent 12 }} - name: spire-server + {{- if eq (typeOf .Values.authentication.mutual.spire.install.server.image) "string" }} image: {{ .Values.authentication.mutual.spire.install.server.image }} + {{- else }} + image: {{ include "cilium.image" .Values.authentication.mutual.spire.install.server.image | quote }} + imagePullPolicy: {{ .Values.authentication.mutual.spire.install.server.image.pullPolicy }} + {{- end }} args: - -config - /run/spire/config/server.conf @@ -75,6 +90,10 @@ spec: port: 8080 initialDelaySeconds: 5 periodSeconds: 5 + {{- with .Values.authentication.mutual.spire.install.server.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} {{- with .Values.authentication.mutual.spire.install.server.affinity }} affinity: {{- toYaml . | nindent 8 }} diff --git a/packages/system/cilium/charts/cilium/templates/validate.yaml b/packages/system/cilium/charts/cilium/templates/validate.yaml index dfb5cb30..3c89e4e3 100644 --- a/packages/system/cilium/charts/cilium/templates/validate.yaml +++ b/packages/system/cilium/charts/cilium/templates/validate.yaml @@ -30,6 +30,10 @@ {{- end }} {{- end }} +{{- if and .Values.hubble.redact.http.headers.allow .Values.hubble.redact.http.headers.deny }} + {{ fail "Only one of .Values.hubble.redact.http.headers.allow, .Values.hubble.redact.http.headers.deny can be specified"}} +{{- end }} + {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }} {{- if not .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef }} {{ fail "ClusterMesh TLS certgen method=certmanager requires that user specifies .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef" }} @@ -74,3 +78,26 @@ {{ fail "if Cilium Endpoint Slice is enabled (.Values.enableCiliumEndpointSlice=true), it requires .Values.disableEndpointCRD=false" }} {{- end }} {{- end }} + +{{/* validate clustermesh-apiserver */}} +{{- if .Values.clustermesh.useAPIServer }} + {{- if ne .Values.identityAllocationMode "crd" }} + {{ fail (printf "The clustermesh-apiserver cannot be enabled in combination with .Values.identityAllocationMode=%s. To establish a Cluster Mesh, directly configure the parameters to access the remote kvstore through .Values.clustermesh.config" .Values.identityAllocationMode ) }} + {{- end }} + {{- if .Values.disableEndpointCRD }} + {{ fail "The clustermesh-apiserver cannot be enabled in combination with .Values.disableEndpointCRD=true" }} + {{- end }} +{{- end }} +{{- if .Values.externalWorkloads.enabled }} + {{- if ne .Values.identityAllocationMode "crd" }} + {{ fail (printf "External workloads support cannot be enabled in combination with .Values.identityAllocationMode=%s" .Values.identityAllocationMode ) }} + {{- end }} + {{- if .Values.disableEndpointCRD }} + {{ fail "External workloads support cannot be enabled in combination with .Values.disableEndpointCRD=true" }} + {{- end }} +{{- end }} + +{{/*validate ClusterMesh */}} +{{- if and (ne (int .Values.clustermesh.maxConnectedClusters) 255) (ne (int .Values.clustermesh.maxConnectedClusters) 511) }} + {{- fail "max-connected-clusters must be set to 255 or 511" }} +{{- end }} diff --git a/packages/system/cilium/charts/cilium/values.yaml b/packages/system/cilium/charts/cilium/values.yaml index 6774bd6c..3ee7a577 100644 --- a/packages/system/cilium/charts/cilium/values.yaml +++ b/packages/system/cilium/charts/cilium/values.yaml @@ -1,10 +1,10 @@ # File generated by install/kubernetes/Makefile; DO NOT EDIT. -# This file is based on install/kubernetes/cilium/values.yaml.tmpl. +# This file is based on install/kubernetes/cilium/*values.yaml.tmpl. # upgradeCompatibility helps users upgrading to ensure that the configMap for # Cilium will not change critical values to ensure continued operation -# This is flag is not required for new installations. +# This flag is not required for new installations. # For example: 1.7, 1.8, 1.9 # upgradeCompatibility: '1.8' @@ -15,6 +15,7 @@ debug: # This option is used to enable debug messages for operations related to such # sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is # for enabling debug messages emitted per request, message and connection. + # Multiple values can be set via a space-separated string (e.g. "datapath envoy"). # # Applicable values: # - flow @@ -46,11 +47,13 @@ k8sServicePort: "" # rate limit, the agent and operator will start to throttle requests by delaying # them until there is budget or the request times out. k8sClientRateLimit: - # -- The sustained request rate in requests per second. - qps: 5 - # -- The burst request rate in requests per second. + # -- (int) The sustained request rate in requests per second. + # @default -- 5 for k8s up to 1.26. 10 for k8s version 1.27+ + qps: + # -- (int) The burst request rate in requests per second. # The rate limiter will allow short bursts with a higher rate. - burst: 10 + # @default -- 10 for k8s up to 1.26. 20 for k8s version 1.27+ + burst: cluster: # -- Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. @@ -143,10 +146,10 @@ rollOutCiliumPods: false image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.14.10" + tag: "v1.15.5" pullPolicy: "IfNotPresent" # cilium-digest - digest: "sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031" + digest: "sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40" useDigest: true # -- Affinity for cilium-agent. @@ -211,9 +214,14 @@ extraConfig: {} # test 2 # test 3 -# -- Security Context for cilium-agent pods. -podSecurityContext: {} +# -- Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent) +annotations: {} +# -- Security Context for cilium-agent pods. +podSecurityContext: + # -- AppArmorProfile options for the `cilium-agent` and init containers + appArmorProfile: + type: "Unconfined" # -- Annotations to be added to agent pods podAnnotations: {} @@ -404,6 +412,12 @@ bgp: bgpControlPlane: # -- Enables the BGP control plane. enabled: false + # -- SecretsNamespace is the namespace which BGP support will retrieve secrets from. + secretsNamespace: + # -- Create secrets namespace for BGP secrets. + create: false + # -- The name of the secret namespace to which Cilium agents are given read access + name: kube-system pmtuDiscovery: # -- Enable path MTU discovery to send ICMP fragmentation-needed replies to @@ -452,7 +466,17 @@ bpf: # @default -- `524288` neighMax: ~ + # @schema + # type: [null, integer] + # @schema + # @default -- `16384` + # -- (int) Configures the maximum number of entries for the node table. + nodeMapMax: ~ + # -- Configure the maximum number of entries in endpoint policy map (per endpoint). + # @schema + # type: [null, integer] + # @schema policyMapMax: 16384 # -- (float64) Configure auto-sizing for all BPF maps based on available memory. @@ -585,6 +609,12 @@ cni: # inside the agent pod. hostConfDirMountPath: /host/etc/cni/net.d + # -- Specifies the resources for the cni initContainer + resources: + requests: + cpu: 100m + memory: 10Mi + # -- (string) Configure how frequently garbage collection should occur for the datapath # connection tracking table. # @default -- `"0s"` @@ -646,7 +676,8 @@ daemon: # -- Specify which network interfaces can run the eBPF datapath. This means # that a packet sent from a pod to a destination outside the cluster will be # masqueraded (to an output device IPv4 address), if the output device runs the -# program. When not specified, probing will automatically detect devices. +# program. When not specified, probing will automatically detect devices that have +# a non-local route. This should be used only when autodetection is not suitable. # devices: "" # -- Enables experimental support for the detection of new and removed datapath @@ -661,13 +692,6 @@ enableRuntimeDeviceDetection: false # -- Limit iptables-based egress masquerading to interface selector. # egressMasqueradeInterfaces: "" -# -- Whether to enable CNP status updates. -enableCnpStatusUpdates: false - -# -- Configures the use of the KVStore to optimize Kubernetes event handling by -# mirroring it into the KVstore for reduced overhead in large clusters. -enableK8sEventHandover: false - # -- Enable setting identity mark for local traffic. # enableIdentityMark: true @@ -709,8 +733,10 @@ ingressController: # Incoming traffic to http listener will return 308 http error code with respective location in header. enforceHttps: true - # -- IngressLBAnnotations are the annotation prefixes, which are used to filter annotations to propagate - # from Ingress to the Load Balancer service + # -- Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled. + enableProxyProtocol: false + + # -- IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service ingressLBAnnotationPrefixes: ['service.beta.kubernetes.io', 'service.kubernetes.io', 'cloud.google.com'] # -- Default secret namespace for ingresses without .spec.tls[].secretName set. @@ -788,6 +814,18 @@ encryption: # This option is only effective when encryption.type is set to "wireguard". nodeEncryption: false + # -- Configure the WireGuard Pod2Pod strict mode. + strictMode: + # -- Enable WireGuard Pod2Pod strict mode. + enabled: false + + # -- CIDR for the WireGuard Pod2Pod strict mode. + cidr: "" + + # -- Allow dynamic lookup of remote node identities. + # This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. + allowRemoteNodeIdentities: false + ipsec: # -- Name of the key file inside the Kubernetes secret configured via secretName. keyFile: "" @@ -812,6 +850,8 @@ encryption: wireguard: # -- Enables the fallback to the user-space implementation. userspaceFallback: false + # -- Controls Wireguard PersistentKeepalive option. Set 0s to disable. + persistentKeepalive: 0s # -- Deprecated in favor of encryption.ipsec.keyFile. To be removed in 1.15. # Name of the key file inside the Kubernetes secret configured via secretName. @@ -933,8 +973,8 @@ certgen: image: override: ~ repository: "quay.io/cilium/certgen" - tag: "v0.1.11" - digest: "sha256:5586de5019abc104637a9818a626956cd9b1e827327b958186ec412ae3d5dea6" + tag: "v0.1.12" + digest: "sha256:bbc5e65e9dc65bc6b58967fe536b7f3b54e12332908aeb0a96a36866b4372b4e" useDigest: true pullPolicy: "IfNotPresent" # -- Seconds after which the completed job pod will be deleted @@ -955,10 +995,16 @@ certgen: # -- Additional certgen volumeMounts. extraVolumeMounts: [] + # -- Affinity for certgen + affinity: {} + hubble: # -- Enable Hubble (true by default). enabled: true + # -- Annotations to be added to all top-level hubble objects (resources under templates/hubble) + annotations: {} + # -- Buffer size of the channel Hubble uses to receive monitor events. If this # value is not set, the queue size is set to the default monitor queue size. # eventQueueSize: "" @@ -987,7 +1033,7 @@ hubble: # # You can specify the list of metrics from the helm CLI: # - # --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" + # --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" # enabled: ~ # -- Enables exporting hubble metrics in OpenMetrics format. @@ -1005,6 +1051,8 @@ hubble: labels: {} # -- Annotations to add to ServiceMonitor hubble annotations: {} + # -- jobLabel to add for ServiceMonitor hubble + jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Relabeling configs for the ServiceMonitor hubble @@ -1028,6 +1076,81 @@ hubble: # -- Unix domain socket path to listen to when Hubble is enabled. socketPath: /var/run/cilium/hubble.sock + # -- Enables redacting sensitive information present in Layer 7 flows. + redact: + enabled: false + http: + # -- Enables redacting URL query (GET) parameters. + # Example: + # + # redact: + # enabled: true + # http: + # urlQuery: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.urlQuery="true" + urlQuery: false + # -- Enables redacting user info, e.g., password when basic auth is used. + # Example: + # + # redact: + # enabled: true + # http: + # userInfo: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.userInfo="true" + userInfo: true + headers: + # -- List of HTTP headers to allow: headers not matching will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. + # Example: + # redact: + # enabled: true + # http: + # headers: + # allow: + # - traceparent + # - tracestate + # - Cache-Control + # + # You can specify the options from the helm CLI: + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.headers.allow="traceparent,tracestate,Cache-Control" + allow: [] + # -- List of HTTP headers to deny: matching headers will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. + # Example: + # redact: + # enabled: true + # http: + # headers: + # deny: + # - Authorization + # - Proxy-Authorization + # + # You can specify the options from the helm CLI: + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.headers.deny="Authorization,Proxy-Authorization" + deny: [] + kafka: + # -- Enables redacting Kafka's API key. + # Example: + # + # redact: + # enabled: true + # kafka: + # apiKey: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.kafka.apiKey="true" + apiKey: false + # -- An additional address for Hubble to listen to. # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that # Hubble is listening on port 4244. @@ -1109,9 +1232,9 @@ hubble: image: override: ~ repository: "quay.io/cilium/hubble-relay" - tag: "v1.14.10" + tag: "v1.15.5" # hubble-relay-digest - digest: "sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0" + digest: "sha256:1d24b24e3477ccf9b5ad081827db635419c136a2bd84a3e60f37b26a38dd0781" useDigest: true pullPolicy: "IfNotPresent" @@ -1148,6 +1271,9 @@ hubble: # -- Additional hubble-relay environment variables. extraEnv: [] + # -- Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay) + annotations: {} + # -- Annotations to be added to hubble-relay pods podAnnotations: {} @@ -1235,6 +1361,12 @@ hubble: extraDnsNames: [] # -- extra IP addresses added to certificate when its auto gen extraIpAddresses: [] + # DNS name used by the backend to connect to the relay + # This is a simple workaround as the relay certificates are currently hardcoded to + # *.hubble-relay.cilium.io + # See https://github.com/cilium/cilium/pull/28709#discussion_r1371792546 + # For GKE Dataplane V2 this should be set to relay.kube-system.svc.cluster.local + relayName: "ui.hubble-relay.cilium.io" # -- Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). dialTimeout: ~ @@ -1354,6 +1486,14 @@ hubble: # -- Additional hubble-ui backend volumeMounts. extraVolumeMounts: [] + livenessProbe: + # -- Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) + enabled: false + + readinessProbe: + # -- Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) + enabled: false + # -- Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. resources: {} # limits: @@ -1401,6 +1541,9 @@ hubble: # -- The number of replicas of Hubble UI to deploy. replicas: 1 + # -- Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui) + annotations: {} + # -- Annotations to be added to hubble-ui pods podAnnotations: {} @@ -1480,6 +1623,55 @@ hubble: # hosts: # - chart-example.local + # -- Hubble flows export. + export: + # --- Defines max file size of output file before it gets rotated. + fileMaxSizeMb: 10 + # --- Defines max number of backup/rotated files. + fileMaxBackups: 5 + # --- Static exporter configuration. + # Static exporter is bound to agent lifecycle. + static: + enabled: false + filePath: /var/run/cilium/hubble/events.log + fieldMask: [] + # - time + # - source + # - destination + # - verdict + allowList: [] + # - '{"verdict":["DROPPED","ERROR"]}' + denyList: [] + # - '{"source_pod":["kube-system/"]}' + # - '{"destination_pod":["kube-system/"]}' + # --- Dynamic exporters configuration. + # Dynamic exporters may be reconfigured without a need of agent restarts. + dynamic: + enabled: false + config: + # ---- Name of configmap with configuration that may be altered to reconfigure exporters within a running agents. + configMapName: cilium-flowlog-config + # ---- True if helm installer should create config map. + # Switch to false if you want to self maintain the file content. + createConfigMap: true + # ---- Exporters configuration in YAML format. + content: + - name: all + fieldMask: [] + includeFilters: [] + excludeFilters: [] + filePath: "/var/run/cilium/hubble/events.log" + #- name: "test002" + # filePath: "/var/log/network/flow-log/pa/test002.log" + # fieldMask: ["source.namespace", "source.pod_name", "destination.namespace", "destination.pod_name", "verdict"] + # includeFilters: + # - source_pod: ["default/"] + # event_type: + # - type: 1 + # - destination_pod: ["frontend/nginx-975996d4c-7hhgt"] + # excludeFilters: [] + # end: "2023-10-09T23:59:59-07:00" + # -- Method to use for identity allocation (`crd` or `kvstore`). identityAllocationMode: "crd" @@ -1530,6 +1722,9 @@ ipam: # @default -- `4.0` externalAPILimitQPS: ~ +# -- The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API +apiRateLimit: ~ + # -- Configure the eBPF-based ip-masq-agent ipMasqAgent: enabled: false @@ -1628,21 +1823,23 @@ maglev: {} # -- Enables masquerading of IPv4 traffic leaving the node from endpoints. enableIPv4Masquerade: true -# -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods -enableIPv6BIGTCP: false +# -- Enables masquerading of IPv6 traffic leaving the node from endpoints. +enableIPv6Masquerade: true + +# -- Enables masquerading to the source of the route for traffic leaving the node from endpoints. +enableMasqueradeRouteSource: false # -- Enables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods enableIPv4BIGTCP: false -# -- Enables masquerading of IPv6 traffic leaving the node from endpoints. -enableIPv6Masquerade: true +# -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods +enableIPv6BIGTCP: false -# -- Enables egress gateway to redirect and SNAT the traffic that leaves the -# cluster. egressGateway: + # -- Enables egress gateway to redirect and SNAT the traffic that leaves the + # cluster. enabled: false - # -- Install egress gateway IP rules and routes in order to properly steer - # egress gateway traffic to the correct ENI interface + # -- Deprecated without a replacement necessary. installRoutes: false # -- Time between triggers of egress gateway state reconciliations reconciliationTriggerInterval: 1s @@ -1707,8 +1904,11 @@ loadBalancer: # mode: snat # -- acceleration is the option to accelerate service handling via XDP - # e.g. native, disabled - # acceleration: disabled + # Applicable values can be: disabled (do not use XDP), native (XDP BPF + # program is run directly out of the networking driver's early receive + # path), or best-effort (use native mode XDP acceleration on devices + # that support it). + acceleration: disabled # -- dsrDispatch configures whether IP option or IPIP encapsulation is # used to pass a service IP and port to remote backend @@ -1757,6 +1957,10 @@ nodePort: # -- Enable healthcheck nodePort server for NodePort services enableHealthCheck: true + # -- Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs + # EnableHealthCheck to be enabled + enableHealthCheckLoadBalancerIP: false + # policyAuditMode: false # -- The agent can be put into one of the three policy enforcement modes: @@ -1764,6 +1968,10 @@ nodePort: # ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes policyEnforcementMode: "default" +# -- policyCIDRMatchMode is a list of entities that may be selected by CIDR selector. +# The possible value is "nodes". +policyCIDRMatchMode: + pprof: # -- Enable pprof for cilium-agent enabled: false @@ -1784,6 +1992,8 @@ prometheus: labels: {} # -- Annotations to add to ServiceMonitor cilium-agent annotations: {} + # -- jobLabel to add for ServiceMonitor cilium-agent + jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Specify the Kubernetes namespace where Prometheus expects to find @@ -1806,6 +2016,15 @@ prometheus: # ref: https://docs.cilium.io/en/stable/observability/metrics/ metrics: ~ + # --- Enable controller group metrics for monitoring specific Cilium + # subsystems. The list is a list of controller group names. The special + # values of "all" and "none" are supported. The set of controller + # group names is not guaranteed to be stable between Cilium versions. + controllerGroupMetrics: + - write-cni-file + - sync-host-ips + - sync-lb-maps-with-k8s-services + # -- Grafana dashboards for cilium-agent # grafana can import dashboards based on the label and value # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards @@ -1848,14 +2067,18 @@ envoy: # -- Set Envoy upstream HTTP idle connection timeout seconds. # Does not apply to connections with pending requests. Default 60s idleTimeoutDurationSeconds: 60 + # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners. + xffNumTrustedHopsL7PolicyIngress: 0 + # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. + xffNumTrustedHopsL7PolicyEgress: 0 # -- Envoy container image. image: override: ~ repository: "quay.io/cilium/cilium-envoy" - tag: "v1.27.4-21905253931655328edaacf3cd16aeda73bbea2f" + tag: "v1.28.3-31ec52ec5f2e4d28a8e19a0bfb872fa48cf7a515" pullPolicy: "IfNotPresent" - digest: "sha256:d52f476c29a97c8b250fdbfbb8472191a268916f6a8503671d0da61e323b02cc" + digest: "sha256:bc8dcc3bc008e3a5aab98edb73a0985e6ef9469bda49d5bb3004c001c995c380" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. @@ -1897,9 +2120,14 @@ envoy: # -- Roll out cilium envoy pods automatically when configmap is updated. rollOutPods: false - # -- Security Context for cilium-envoy pods. - podSecurityContext: {} + # -- Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy) + annotations: {} + # -- Security Context for cilium-envoy pods. + podSecurityContext: + # -- AppArmorProfile options for the `cilium-agent` and init containers + appArmorProfile: + type: "Unconfined" # -- Annotations to be added to envoy pods podAnnotations: {} @@ -2037,6 +2265,7 @@ envoy: # -- Enable use of the remote node identity. # ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity +# Deprecated without replacement in 1.15. To be removed in 1.16. remoteNodeIdentity: true # -- Enable resource quotas for priority classes used in the cluster. @@ -2117,15 +2346,6 @@ tls: # ... # -----END CERTIFICATE----- -# -- Configure the encapsulation configuration for communication between nodes. -# Deprecated in favor of tunnelProtocol and routingMode. To be removed in 1.15. -# Possible values: -# - disabled -# - vxlan -# - geneve -# @default -- `"vxlan"` -tunnel: "" - # -- Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. # Possible values: # - "" @@ -2146,6 +2366,13 @@ routingMode: "" # @default -- Port 8472 for VXLAN, Port 6081 for Geneve tunnelPort: 0 +# -- Configure what the response should be to traffic for a service without backends. +# "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop". +# Possible values: +# - reject (default) +# - drop +serviceNoBackendResponse: reject + # -- Configure the underlying network MTU to overwrite auto-detected MTU. MTU: 0 @@ -2201,6 +2428,9 @@ etcd: nodeSelector: kubernetes.io/os: linux + # -- Annotations to be added to all top-level etcd-operator objects (resources under templates/etcd-operator) + annotations: {} + # -- Security context to be added to cilium-etcd-operator pods podSecurityContext: {} @@ -2269,15 +2499,15 @@ operator: image: override: ~ repository: "quay.io/cilium/operator" - tag: "v1.14.10" + tag: "v1.15.5" # operator-generic-digest - genericDigest: "sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909" + genericDigest: "sha256:f5d3d19754074ca052be6aac5d1ffb1de1eb5f2d947222b5f10f6d97ad4383e8" # operator-azure-digest - azureDigest: "sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4" + azureDigest: "sha256:0a56f2cfdcdf13da21b7fdcc870e29fef82e71e599cd8dd74eb65c377e035522" # operator-aws-digest - awsDigest: "sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6" + awsDigest: "sha256:f9c0eaea023ce5a75b3ed1fc4b783f390c5a3c7dc1507a2dc4dbc667b80d1bd9" # operator-alibabacloud-digest - alibabacloudDigest: "sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14" + alibabacloudDigest: "sha256:d76d45e308f23398b786f1f05504863759849046c20c741ebb64ad80613f8fd3" useDigest: true pullPolicy: "IfNotPresent" suffix: "" @@ -2349,6 +2579,9 @@ operator: # -- Additional cilium-operator volumeMounts. extraVolumeMounts: [] + # -- Annotations to be added to all top-level cilium-operator objects (resources under templates/cilium-operator) + annotations: {} + # -- Security context to be added to cilium-operator pods podSecurityContext: {} @@ -2409,7 +2642,7 @@ operator: # -- Enable prometheus metrics for cilium-operator on the configured port at # /metrics prometheus: - enabled: false + enabled: true port: 9963 serviceMonitor: # -- Enable service monitors. @@ -2419,6 +2652,8 @@ operator: labels: {} # -- Annotations to add to ServiceMonitor cilium-operator annotations: {} + # -- jobLabel to add for ServiceMonitor cilium-operator + jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Relabeling configs for the ServiceMonitor cilium-operator @@ -2467,8 +2702,8 @@ nodeinit: image: override: ~ repository: "quay.io/cilium/startup-script" - tag: "62093c5c233ea914bfa26a10ba41f8780d9b737f" - digest: "sha256:e1d442546e868db1a3289166c14011e0dbd32115b338b963e56f830972bc22a2" + tag: "19fb149fb3d5c7a37d3edfaf10a2be3ab7386661" + digest: "sha256:820155cb3b7f00c8d61c1cffa68c44440906cb046bdbad8ff544f5deb1103456" useDigest: true pullPolicy: "IfNotPresent" @@ -2505,12 +2740,19 @@ nodeinit: # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + # -- Annotations to be added to all top-level nodeinit objects (resources under templates/cilium-nodeinit) + annotations: {} + # -- Annotations to be added to node-init pods. podAnnotations: {} # -- Labels to be added to node-init pods. podLabels: {} - + # -- Security Context for cilium-node-init pods. + podSecurityContext: + # -- AppArmorProfile options for the `cilium-node-init` and init containers + appArmorProfile: + type: "Unconfined" # -- nodeinit resource limits & requests # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: @@ -2556,9 +2798,9 @@ preflight: image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.14.10" + tag: "v1.15.5" # cilium-digest - digest: "sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031" + digest: "sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40" useDigest: true pullPolicy: "IfNotPresent" @@ -2611,6 +2853,9 @@ preflight: # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + # -- Annotations to be added to all top-level preflight objects (resources under templates/cilium-preflight) + annotations: {} + # -- Security context to be added to preflight pods. podSecurityContext: {} @@ -2670,6 +2915,15 @@ enableCriticalPriorityClass: true clustermesh: # -- Deploy clustermesh-apiserver for clustermesh useAPIServer: false + # -- The maximum number of clusters to support in a ClusterMesh. This value + # cannot be changed on running clusters, and all clusters in a ClusterMesh + # must be configured with the same value. Values > 255 will decrease the + # maximum allocatable cluster-local identities. + # Supported values are 255 and 511. + maxConnectedClusters: 255 + + # -- Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config) + annotations: {} # -- Clustermesh explicit configuration. config: @@ -2706,21 +2960,16 @@ clustermesh: image: override: ~ repository: "quay.io/cilium/clustermesh-apiserver" - tag: "v1.14.10" + tag: "v1.15.5" # clustermesh-apiserver-digest - digest: "sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798" + digest: "sha256:914549caf4376a844b5e7696019182dd2a655b89d6a3cad10f9d0f9821759fd7" useDigest: true pullPolicy: "IfNotPresent" etcd: - # -- Clustermesh API server etcd image. - image: - override: ~ - repository: "quay.io/coreos/etcd" - tag: "v3.5.4" - digest: "sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3" - useDigest: true - pullPolicy: "IfNotPresent" + # The etcd binary is included in the clustermesh API server image, so the same image from above is reused. + # Independent override isn't supported, because clustermesh-apiserver is tested against the etcd version it is + # built with. # -- Specifies the resources for etcd container in the apiserver resources: {} @@ -2734,6 +2983,9 @@ clustermesh: # -- Security context to be added to clustermesh-apiserver etcd containers securityContext: {} + # -- lifecycle setting for the etcd container + lifecycle: {} + init: # -- Specifies the resources for etcd init container in the apiserver resources: {} @@ -2744,21 +2996,17 @@ clustermesh: # cpu: 100m # memory: 100Mi + # -- Additional arguments to `clustermesh-apiserver etcdinit`. + extraArgs: [] + + # -- Additional environment variables to `clustermesh-apiserver etcdinit`. + extraEnv: [] + kvstoremesh: # -- Enable KVStoreMesh. KVStoreMesh caches the information retrieved # from the remote clusters in the local etcd instance. enabled: false - # -- KVStoreMesh image. - image: - override: ~ - repository: "quay.io/cilium/kvstoremesh" - tag: "v1.14.10" - # kvstoremesh-digest - digest: "sha256:871ec4e3b07401d90b4433c7e2b7210b9b0c5f1a536caab3d0281a5faeea5070" - useDigest: true - pullPolicy: "IfNotPresent" - # -- Additional KVStoreMesh arguments. extraArgs: [] @@ -2784,6 +3032,9 @@ clustermesh: drop: - ALL + # -- lifecycle setting for the KVStoreMesh container + lifecycle: {} + service: # -- The type of service used for apiserver access. type: NodePort @@ -2814,6 +3065,12 @@ clustermesh: # -- Number of replicas run for the clustermesh-apiserver deployment. replicas: 1 + # -- lifecycle setting for the apiserver container + lifecycle: {} + + # -- terminationGracePeriodSeconds for the clustermesh-apiserver deployment + terminationGracePeriodSeconds: 30 + # -- Additional clustermesh-apiserver arguments. extraArgs: [] @@ -2956,17 +3213,6 @@ clustermesh: # name: ca-issuer # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. certManagerIssuerRef: {} - # -- Deprecated in favor of tls.ca. To be removed in 1.15. - # base64 encoded PEM values for the ExternalWorkload CA certificate and private key. - ca: - # -- Deprecated in favor of tls.ca.cert. To be removed in 1.15. - # Optional CA cert. If it is provided, it will be used by the 'cronJob' method to - # generate all other certificates. Otherwise, an ephemeral CA is generated. - cert: "" - # -- Deprecated in favor of tls.ca.key. To be removed in 1.15. - # Optional CA private key. If it is provided, it will be used by the 'cronJob' method to - # generate all other certificates. Otherwise, an ephemeral CA is generated. - key: "" # -- base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. # Used if 'auto' is not enabled. server: @@ -3007,7 +3253,7 @@ clustermesh: etcd: # -- Enables exporting etcd metrics in OpenMetrics format. - enabled: false + enabled: true # -- Set level of detail for etcd metrics; specify 'extensive' to include server side gRPC histogram metrics. mode: basic # -- Configure the port the etcd metric server listens on. @@ -3133,10 +3379,14 @@ authentication: mutual: # -- Port on the agent where mutual authentication handshakes between agents will be performed port: 4250 + # -- Timeout for connecting to the remote node TCP socket + connectTimeout: 5s # Settings for SPIRE spire: # -- Enable SPIRE integration (beta) enabled: false + # -- Annotations to be added to all top-level spire objects (resources under templates/spire) + annotations: {} # Settings to control the SPIRE installation and configuration install: # -- Enable SPIRE installation. @@ -3144,10 +3394,26 @@ authentication: enabled: true # -- SPIRE namespace to install into namespace: cilium-spire + # -- SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. + existingNamespace: false + # -- init container image of SPIRE agent and server + initImage: + override: ~ + repository: "docker.io/library/busybox" + tag: "1.36.1" + digest: "sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b" + useDigest: true + pullPolicy: "IfNotPresent" # SPIRE agent configuration agent: # -- SPIRE agent image - image: ghcr.io/spiffe/spire-agent:1.6.3@sha256:8eef9857bf223181ecef10d9bbcd2f7838f3689e9bd2445bede35066a732e823 + image: + override: ~ + repository: "ghcr.io/spiffe/spire-agent" + tag: "1.8.5" + digest: "sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b" + useDigest: true + pullPolicy: "IfNotPresent" # -- SPIRE agent service account serviceAccount: create: true @@ -3189,7 +3455,13 @@ authentication: securityContext: {} server: # -- SPIRE server image - image: ghcr.io/spiffe/spire-server:1.6.3@sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f + image: + override: ~ + repository: "ghcr.io/spiffe/spire-server" + tag: "1.8.5" + digest: "sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428" + useDigest: true + pullPolicy: "IfNotPresent" # -- SPIRE server service account serviceAccount: create: true @@ -3226,6 +3498,14 @@ authentication: accessMode: ReadWriteOnce # -- StorageClass of the SPIRE server data storage storageClass: null + # -- Security context to be added to spire server pods. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # -- Security context to be added to spire server containers. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} # SPIRE CA configuration ca: # -- SPIRE CA key type diff --git a/packages/system/cilium/charts/cilium/values.yaml.tmpl b/packages/system/cilium/charts/cilium/values.yaml.tmpl index 481bbe7b..679b4cac 100644 --- a/packages/system/cilium/charts/cilium/values.yaml.tmpl +++ b/packages/system/cilium/charts/cilium/values.yaml.tmpl @@ -1,7 +1,7 @@ # upgradeCompatibility helps users upgrading to ensure that the configMap for # Cilium will not change critical values to ensure continued operation -# This is flag is not required for new installations. +# This flag is not required for new installations. # For example: 1.7, 1.8, 1.9 # upgradeCompatibility: '1.8' @@ -12,6 +12,7 @@ debug: # This option is used to enable debug messages for operations related to such # sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is # for enabling debug messages emitted per request, message and connection. + # Multiple values can be set via a space-separated string (e.g. "datapath envoy"). # # Applicable values: # - flow @@ -43,11 +44,13 @@ k8sServicePort: "" # rate limit, the agent and operator will start to throttle requests by delaying # them until there is budget or the request times out. k8sClientRateLimit: - # -- The sustained request rate in requests per second. - qps: 5 - # -- The burst request rate in requests per second. + # -- (int) The sustained request rate in requests per second. + # @default -- 5 for k8s up to 1.26. 10 for k8s version 1.27+ + qps: + # -- (int) The burst request rate in requests per second. # The rate limiter will allow short bursts with a higher rate. - burst: 10 + # @default -- 10 for k8s up to 1.26. 20 for k8s version 1.27+ + burst: cluster: # -- Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. @@ -208,9 +211,14 @@ extraConfig: {} # test 2 # test 3 -# -- Security Context for cilium-agent pods. -podSecurityContext: {} +# -- Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent) +annotations: {} +# -- Security Context for cilium-agent pods. +podSecurityContext: + # -- AppArmorProfile options for the `cilium-agent` and init containers + appArmorProfile: + type: "Unconfined" # -- Annotations to be added to agent pods podAnnotations: {} @@ -405,6 +413,12 @@ bgp: bgpControlPlane: # -- Enables the BGP control plane. enabled: false + # -- SecretsNamespace is the namespace which BGP support will retrieve secrets from. + secretsNamespace: + # -- Create secrets namespace for BGP secrets. + create: false + # -- The name of the secret namespace to which Cilium agents are given read access + name: kube-system pmtuDiscovery: # -- Enable path MTU discovery to send ICMP fragmentation-needed replies to @@ -453,7 +467,17 @@ bpf: # @default -- `524288` neighMax: ~ + # @schema + # type: [null, integer] + # @schema + # @default -- `16384` + # -- (int) Configures the maximum number of entries for the node table. + nodeMapMax: ~ + # -- Configure the maximum number of entries in endpoint policy map (per endpoint). + # @schema + # type: [null, integer] + # @schema policyMapMax: 16384 # -- (float64) Configure auto-sizing for all BPF maps based on available memory. @@ -586,6 +610,12 @@ cni: # inside the agent pod. hostConfDirMountPath: /host/etc/cni/net.d + # -- Specifies the resources for the cni initContainer + resources: + requests: + cpu: 100m + memory: 10Mi + # -- (string) Configure how frequently garbage collection should occur for the datapath # connection tracking table. # @default -- `"0s"` @@ -647,7 +677,8 @@ daemon: # -- Specify which network interfaces can run the eBPF datapath. This means # that a packet sent from a pod to a destination outside the cluster will be # masqueraded (to an output device IPv4 address), if the output device runs the -# program. When not specified, probing will automatically detect devices. +# program. When not specified, probing will automatically detect devices that have +# a non-local route. This should be used only when autodetection is not suitable. # devices: "" # -- Enables experimental support for the detection of new and removed datapath @@ -662,13 +693,6 @@ enableRuntimeDeviceDetection: false # -- Limit iptables-based egress masquerading to interface selector. # egressMasqueradeInterfaces: "" -# -- Whether to enable CNP status updates. -enableCnpStatusUpdates: false - -# -- Configures the use of the KVStore to optimize Kubernetes event handling by -# mirroring it into the KVstore for reduced overhead in large clusters. -enableK8sEventHandover: false - # -- Enable setting identity mark for local traffic. # enableIdentityMark: true @@ -710,8 +734,10 @@ ingressController: # Incoming traffic to http listener will return 308 http error code with respective location in header. enforceHttps: true - # -- IngressLBAnnotations are the annotation prefixes, which are used to filter annotations to propagate - # from Ingress to the Load Balancer service + # -- Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled. + enableProxyProtocol: false + + # -- IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service ingressLBAnnotationPrefixes: ['service.beta.kubernetes.io', 'service.kubernetes.io', 'cloud.google.com'] # -- Default secret namespace for ingresses without .spec.tls[].secretName set. @@ -789,6 +815,18 @@ encryption: # This option is only effective when encryption.type is set to "wireguard". nodeEncryption: false + # -- Configure the WireGuard Pod2Pod strict mode. + strictMode: + # -- Enable WireGuard Pod2Pod strict mode. + enabled: false + + # -- CIDR for the WireGuard Pod2Pod strict mode. + cidr: "" + + # -- Allow dynamic lookup of remote node identities. + # This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. + allowRemoteNodeIdentities: false + ipsec: # -- Name of the key file inside the Kubernetes secret configured via secretName. keyFile: "" @@ -813,6 +851,8 @@ encryption: wireguard: # -- Enables the fallback to the user-space implementation. userspaceFallback: false + # -- Controls Wireguard PersistentKeepalive option. Set 0s to disable. + persistentKeepalive: 0s # -- Deprecated in favor of encryption.ipsec.keyFile. To be removed in 1.15. # Name of the key file inside the Kubernetes secret configured via secretName. @@ -956,10 +996,16 @@ certgen: # -- Additional certgen volumeMounts. extraVolumeMounts: [] + # -- Affinity for certgen + affinity: {} + hubble: # -- Enable Hubble (true by default). enabled: true + # -- Annotations to be added to all top-level hubble objects (resources under templates/hubble) + annotations: {} + # -- Buffer size of the channel Hubble uses to receive monitor events. If this # value is not set, the queue size is set to the default monitor queue size. # eventQueueSize: "" @@ -988,7 +1034,7 @@ hubble: # # You can specify the list of metrics from the helm CLI: # - # --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" + # --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" # enabled: ~ # -- Enables exporting hubble metrics in OpenMetrics format. @@ -1006,6 +1052,8 @@ hubble: labels: {} # -- Annotations to add to ServiceMonitor hubble annotations: {} + # -- jobLabel to add for ServiceMonitor hubble + jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Relabeling configs for the ServiceMonitor hubble @@ -1029,6 +1077,81 @@ hubble: # -- Unix domain socket path to listen to when Hubble is enabled. socketPath: /var/run/cilium/hubble.sock + # -- Enables redacting sensitive information present in Layer 7 flows. + redact: + enabled: false + http: + # -- Enables redacting URL query (GET) parameters. + # Example: + # + # redact: + # enabled: true + # http: + # urlQuery: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.urlQuery="true" + urlQuery: false + # -- Enables redacting user info, e.g., password when basic auth is used. + # Example: + # + # redact: + # enabled: true + # http: + # userInfo: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.userInfo="true" + userInfo: true + headers: + # -- List of HTTP headers to allow: headers not matching will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. + # Example: + # redact: + # enabled: true + # http: + # headers: + # allow: + # - traceparent + # - tracestate + # - Cache-Control + # + # You can specify the options from the helm CLI: + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.headers.allow="traceparent,tracestate,Cache-Control" + allow: [] + # -- List of HTTP headers to deny: matching headers will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. + # Example: + # redact: + # enabled: true + # http: + # headers: + # deny: + # - Authorization + # - Proxy-Authorization + # + # You can specify the options from the helm CLI: + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.headers.deny="Authorization,Proxy-Authorization" + deny: [] + kafka: + # -- Enables redacting Kafka's API key. + # Example: + # + # redact: + # enabled: true + # kafka: + # apiKey: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.kafka.apiKey="true" + apiKey: false + # -- An additional address for Hubble to listen to. # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that # Hubble is listening on port 4244. @@ -1149,6 +1272,9 @@ hubble: # -- Additional hubble-relay environment variables. extraEnv: [] + # -- Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay) + annotations: {} + # -- Annotations to be added to hubble-relay pods podAnnotations: {} @@ -1236,6 +1362,12 @@ hubble: extraDnsNames: [] # -- extra IP addresses added to certificate when its auto gen extraIpAddresses: [] + # DNS name used by the backend to connect to the relay + # This is a simple workaround as the relay certificates are currently hardcoded to + # *.hubble-relay.cilium.io + # See https://github.com/cilium/cilium/pull/28709#discussion_r1371792546 + # For GKE Dataplane V2 this should be set to relay.kube-system.svc.cluster.local + relayName: "ui.hubble-relay.cilium.io" # -- Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). dialTimeout: ~ @@ -1355,6 +1487,14 @@ hubble: # -- Additional hubble-ui backend volumeMounts. extraVolumeMounts: [] + livenessProbe: + # -- Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) + enabled: false + + readinessProbe: + # -- Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) + enabled: false + # -- Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. resources: {} # limits: @@ -1402,6 +1542,9 @@ hubble: # -- The number of replicas of Hubble UI to deploy. replicas: 1 + # -- Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui) + annotations: {} + # -- Annotations to be added to hubble-ui pods podAnnotations: {} @@ -1481,6 +1624,55 @@ hubble: # hosts: # - chart-example.local + # -- Hubble flows export. + export: + # --- Defines max file size of output file before it gets rotated. + fileMaxSizeMb: 10 + # --- Defines max number of backup/rotated files. + fileMaxBackups: 5 + # --- Static exporter configuration. + # Static exporter is bound to agent lifecycle. + static: + enabled: false + filePath: /var/run/cilium/hubble/events.log + fieldMask: [] + # - time + # - source + # - destination + # - verdict + allowList: [] + # - '{"verdict":["DROPPED","ERROR"]}' + denyList: [] + # - '{"source_pod":["kube-system/"]}' + # - '{"destination_pod":["kube-system/"]}' + # --- Dynamic exporters configuration. + # Dynamic exporters may be reconfigured without a need of agent restarts. + dynamic: + enabled: false + config: + # ---- Name of configmap with configuration that may be altered to reconfigure exporters within a running agents. + configMapName: cilium-flowlog-config + # ---- True if helm installer should create config map. + # Switch to false if you want to self maintain the file content. + createConfigMap: true + # ---- Exporters configuration in YAML format. + content: + - name: all + fieldMask: [] + includeFilters: [] + excludeFilters: [] + filePath: "/var/run/cilium/hubble/events.log" + #- name: "test002" + # filePath: "/var/log/network/flow-log/pa/test002.log" + # fieldMask: ["source.namespace", "source.pod_name", "destination.namespace", "destination.pod_name", "verdict"] + # includeFilters: + # - source_pod: ["default/"] + # event_type: + # - type: 1 + # - destination_pod: ["frontend/nginx-975996d4c-7hhgt"] + # excludeFilters: [] + # end: "2023-10-09T23:59:59-07:00" + # -- Method to use for identity allocation (`crd` or `kvstore`). identityAllocationMode: "crd" @@ -1531,6 +1723,9 @@ ipam: # @default -- `4.0` externalAPILimitQPS: ~ +# -- The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API +apiRateLimit: ~ + # -- Configure the eBPF-based ip-masq-agent ipMasqAgent: enabled: false @@ -1629,21 +1824,23 @@ maglev: {} # -- Enables masquerading of IPv4 traffic leaving the node from endpoints. enableIPv4Masquerade: true -# -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods -enableIPv6BIGTCP: false +# -- Enables masquerading of IPv6 traffic leaving the node from endpoints. +enableIPv6Masquerade: true + +# -- Enables masquerading to the source of the route for traffic leaving the node from endpoints. +enableMasqueradeRouteSource: false # -- Enables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods enableIPv4BIGTCP: false -# -- Enables masquerading of IPv6 traffic leaving the node from endpoints. -enableIPv6Masquerade: true +# -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods +enableIPv6BIGTCP: false -# -- Enables egress gateway to redirect and SNAT the traffic that leaves the -# cluster. egressGateway: + # -- Enables egress gateway to redirect and SNAT the traffic that leaves the + # cluster. enabled: false - # -- Install egress gateway IP rules and routes in order to properly steer - # egress gateway traffic to the correct ENI interface + # -- Deprecated without a replacement necessary. installRoutes: false # -- Time between triggers of egress gateway state reconciliations reconciliationTriggerInterval: 1s @@ -1708,8 +1905,11 @@ loadBalancer: # mode: snat # -- acceleration is the option to accelerate service handling via XDP - # e.g. native, disabled - # acceleration: disabled + # Applicable values can be: disabled (do not use XDP), native (XDP BPF + # program is run directly out of the networking driver's early receive + # path), or best-effort (use native mode XDP acceleration on devices + # that support it). + acceleration: disabled # -- dsrDispatch configures whether IP option or IPIP encapsulation is # used to pass a service IP and port to remote backend @@ -1758,6 +1958,10 @@ nodePort: # -- Enable healthcheck nodePort server for NodePort services enableHealthCheck: true + # -- Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs + # EnableHealthCheck to be enabled + enableHealthCheckLoadBalancerIP: false + # policyAuditMode: false # -- The agent can be put into one of the three policy enforcement modes: @@ -1765,6 +1969,10 @@ nodePort: # ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes policyEnforcementMode: "default" +# -- policyCIDRMatchMode is a list of entities that may be selected by CIDR selector. +# The possible value is "nodes". +policyCIDRMatchMode: + pprof: # -- Enable pprof for cilium-agent enabled: false @@ -1785,6 +1993,8 @@ prometheus: labels: {} # -- Annotations to add to ServiceMonitor cilium-agent annotations: {} + # -- jobLabel to add for ServiceMonitor cilium-agent + jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Specify the Kubernetes namespace where Prometheus expects to find @@ -1807,6 +2017,15 @@ prometheus: # ref: https://docs.cilium.io/en/stable/observability/metrics/ metrics: ~ + # --- Enable controller group metrics for monitoring specific Cilium + # subsystems. The list is a list of controller group names. The special + # values of "all" and "none" are supported. The set of controller + # group names is not guaranteed to be stable between Cilium versions. + controllerGroupMetrics: + - write-cni-file + - sync-host-ips + - sync-lb-maps-with-k8s-services + # -- Grafana dashboards for cilium-agent # grafana can import dashboards based on the label and value # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards @@ -1849,14 +2068,18 @@ envoy: # -- Set Envoy upstream HTTP idle connection timeout seconds. # Does not apply to connections with pending requests. Default 60s idleTimeoutDurationSeconds: 60 + # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners. + xffNumTrustedHopsL7PolicyIngress: 0 + # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. + xffNumTrustedHopsL7PolicyEgress: 0 # -- Envoy container image. image: override: ~ - repository: "quay.io/cilium/cilium-envoy" - tag: "v1.27.4-21905253931655328edaacf3cd16aeda73bbea2f" + repository: "${CILIUM_ENVOY_REPO}" + tag: "${CILIUM_ENVOY_VERSION}" pullPolicy: "${PULL_POLICY}" - digest: "sha256:d52f476c29a97c8b250fdbfbb8472191a268916f6a8503671d0da61e323b02cc" + digest: "${CILIUM_ENVOY_DIGEST}" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. @@ -1898,9 +2121,14 @@ envoy: # -- Roll out cilium envoy pods automatically when configmap is updated. rollOutPods: false - # -- Security Context for cilium-envoy pods. - podSecurityContext: {} + # -- Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy) + annotations: {} + # -- Security Context for cilium-envoy pods. + podSecurityContext: + # -- AppArmorProfile options for the `cilium-agent` and init containers + appArmorProfile: + type: "Unconfined" # -- Annotations to be added to envoy pods podAnnotations: {} @@ -2038,6 +2266,7 @@ envoy: # -- Enable use of the remote node identity. # ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity +# Deprecated without replacement in 1.15. To be removed in 1.16. remoteNodeIdentity: true # -- Enable resource quotas for priority classes used in the cluster. @@ -2118,15 +2347,6 @@ tls: # ... # -----END CERTIFICATE----- -# -- Configure the encapsulation configuration for communication between nodes. -# Deprecated in favor of tunnelProtocol and routingMode. To be removed in 1.15. -# Possible values: -# - disabled -# - vxlan -# - geneve -# @default -- `"vxlan"` -tunnel: "" - # -- Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. # Possible values: # - "" @@ -2147,6 +2367,13 @@ routingMode: "" # @default -- Port 8472 for VXLAN, Port 6081 for Geneve tunnelPort: 0 +# -- Configure what the response should be to traffic for a service without backends. +# "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop". +# Possible values: +# - reject (default) +# - drop +serviceNoBackendResponse: reject + # -- Configure the underlying network MTU to overwrite auto-detected MTU. MTU: 0 @@ -2202,6 +2429,9 @@ etcd: nodeSelector: kubernetes.io/os: linux + # -- Annotations to be added to all top-level etcd-operator objects (resources under templates/etcd-operator) + annotations: {} + # -- Security context to be added to cilium-etcd-operator pods podSecurityContext: {} @@ -2350,6 +2580,9 @@ operator: # -- Additional cilium-operator volumeMounts. extraVolumeMounts: [] + # -- Annotations to be added to all top-level cilium-operator objects (resources under templates/cilium-operator) + annotations: {} + # -- Security context to be added to cilium-operator pods podSecurityContext: {} @@ -2410,7 +2643,7 @@ operator: # -- Enable prometheus metrics for cilium-operator on the configured port at # /metrics prometheus: - enabled: false + enabled: true port: 9963 serviceMonitor: # -- Enable service monitors. @@ -2420,6 +2653,8 @@ operator: labels: {} # -- Annotations to add to ServiceMonitor cilium-operator annotations: {} + # -- jobLabel to add for ServiceMonitor cilium-operator + jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Relabeling configs for the ServiceMonitor cilium-operator @@ -2506,12 +2741,19 @@ nodeinit: # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + # -- Annotations to be added to all top-level nodeinit objects (resources under templates/cilium-nodeinit) + annotations: {} + # -- Annotations to be added to node-init pods. podAnnotations: {} # -- Labels to be added to node-init pods. podLabels: {} - + # -- Security Context for cilium-node-init pods. + podSecurityContext: + # -- AppArmorProfile options for the `cilium-node-init` and init containers + appArmorProfile: + type: "Unconfined" # -- nodeinit resource limits & requests # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: @@ -2614,6 +2856,9 @@ preflight: # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + # -- Annotations to be added to all top-level preflight objects (resources under templates/cilium-preflight) + annotations: {} + # -- Security context to be added to preflight pods. podSecurityContext: {} @@ -2673,6 +2918,15 @@ enableCriticalPriorityClass: true clustermesh: # -- Deploy clustermesh-apiserver for clustermesh useAPIServer: false + # -- The maximum number of clusters to support in a ClusterMesh. This value + # cannot be changed on running clusters, and all clusters in a ClusterMesh + # must be configured with the same value. Values > 255 will decrease the + # maximum allocatable cluster-local identities. + # Supported values are 255 and 511. + maxConnectedClusters: 255 + + # -- Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config) + annotations: {} # -- Clustermesh explicit configuration. config: @@ -2716,14 +2970,9 @@ clustermesh: pullPolicy: "${PULL_POLICY}" etcd: - # -- Clustermesh API server etcd image. - image: - override: ~ - repository: "${ETCD_REPO}" - tag: "${ETCD_VERSION}" - digest: "${ETCD_DIGEST}" - useDigest: true - pullPolicy: "${PULL_POLICY}" + # The etcd binary is included in the clustermesh API server image, so the same image from above is reused. + # Independent override isn't supported, because clustermesh-apiserver is tested against the etcd version it is + # built with. # -- Specifies the resources for etcd container in the apiserver resources: {} @@ -2737,6 +2986,9 @@ clustermesh: # -- Security context to be added to clustermesh-apiserver etcd containers securityContext: {} + # -- lifecycle setting for the etcd container + lifecycle: {} + init: # -- Specifies the resources for etcd init container in the apiserver resources: {} @@ -2747,21 +2999,17 @@ clustermesh: # cpu: 100m # memory: 100Mi + # -- Additional arguments to `clustermesh-apiserver etcdinit`. + extraArgs: [] + + # -- Additional environment variables to `clustermesh-apiserver etcdinit`. + extraEnv: [] + kvstoremesh: # -- Enable KVStoreMesh. KVStoreMesh caches the information retrieved # from the remote clusters in the local etcd instance. enabled: false - # -- KVStoreMesh image. - image: - override: ~ - repository: "${KVSTOREMESH_REPO}" - tag: "${CILIUM_VERSION}" - # kvstoremesh-digest - digest: ${KVSTOREMESH_DIGEST} - useDigest: ${USE_DIGESTS} - pullPolicy: "${PULL_POLICY}" - # -- Additional KVStoreMesh arguments. extraArgs: [] @@ -2787,6 +3035,9 @@ clustermesh: drop: - ALL + # -- lifecycle setting for the KVStoreMesh container + lifecycle: {} + service: # -- The type of service used for apiserver access. type: NodePort @@ -2817,6 +3068,12 @@ clustermesh: # -- Number of replicas run for the clustermesh-apiserver deployment. replicas: 1 + # -- lifecycle setting for the apiserver container + lifecycle: {} + + # -- terminationGracePeriodSeconds for the clustermesh-apiserver deployment + terminationGracePeriodSeconds: 30 + # -- Additional clustermesh-apiserver arguments. extraArgs: [] @@ -2959,17 +3216,6 @@ clustermesh: # name: ca-issuer # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. certManagerIssuerRef: {} - # -- Deprecated in favor of tls.ca. To be removed in 1.15. - # base64 encoded PEM values for the ExternalWorkload CA certificate and private key. - ca: - # -- Deprecated in favor of tls.ca.cert. To be removed in 1.15. - # Optional CA cert. If it is provided, it will be used by the 'cronJob' method to - # generate all other certificates. Otherwise, an ephemeral CA is generated. - cert: "" - # -- Deprecated in favor of tls.ca.key. To be removed in 1.15. - # Optional CA private key. If it is provided, it will be used by the 'cronJob' method to - # generate all other certificates. Otherwise, an ephemeral CA is generated. - key: "" # -- base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. # Used if 'auto' is not enabled. server: @@ -3010,7 +3256,7 @@ clustermesh: etcd: # -- Enables exporting etcd metrics in OpenMetrics format. - enabled: false + enabled: true # -- Set level of detail for etcd metrics; specify 'extensive' to include server side gRPC histogram metrics. mode: basic # -- Configure the port the etcd metric server listens on. @@ -3136,10 +3382,14 @@ authentication: mutual: # -- Port on the agent where mutual authentication handshakes between agents will be performed port: 4250 + # -- Timeout for connecting to the remote node TCP socket + connectTimeout: 5s # Settings for SPIRE spire: # -- Enable SPIRE integration (beta) enabled: false + # -- Annotations to be added to all top-level spire objects (resources under templates/spire) + annotations: {} # Settings to control the SPIRE installation and configuration install: # -- Enable SPIRE installation. @@ -3147,10 +3397,26 @@ authentication: enabled: true # -- SPIRE namespace to install into namespace: cilium-spire + # -- SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. + existingNamespace: false + # -- init container image of SPIRE agent and server + initImage: + override: ~ + repository: "${SPIRE_INIT_REPO}" + tag: "${SPIRE_INIT_VERSION}" + digest: "${SPIRE_INIT_DIGEST}" + useDigest: true + pullPolicy: "${PULL_POLICY}" # SPIRE agent configuration agent: # -- SPIRE agent image - image: ghcr.io/spiffe/spire-agent:1.6.3@sha256:8eef9857bf223181ecef10d9bbcd2f7838f3689e9bd2445bede35066a732e823 + image: + override: ~ + repository: "${SPIRE_AGENT_REPO}" + tag: "${SPIRE_AGENT_VERSION}" + digest: "${SPIRE_AGENT_DIGEST}" + useDigest: true + pullPolicy: "${PULL_POLICY}" # -- SPIRE agent service account serviceAccount: create: true @@ -3192,7 +3458,13 @@ authentication: securityContext: {} server: # -- SPIRE server image - image: ghcr.io/spiffe/spire-server:1.6.3@sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f + image: + override: ~ + repository: "${SPIRE_SERVER_REPO}" + tag: "${SPIRE_SERVER_VERSION}" + digest: "${SPIRE_SERVER_DIGEST}" + useDigest: true + pullPolicy: "${PULL_POLICY}" # -- SPIRE server service account serviceAccount: create: true @@ -3229,6 +3501,14 @@ authentication: accessMode: ReadWriteOnce # -- StorageClass of the SPIRE server data storage storageClass: null + # -- Security context to be added to spire server pods. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # -- Security context to be added to spire server containers. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} # SPIRE CA configuration ca: # -- SPIRE CA key type From e89926cca6187432ea480c5c2cb43e6bf813fc5b Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Sun, 26 May 2024 18:11:36 +0200 Subject: [PATCH 13/25] Update kube-ovn v1.13.0-ge1310e17 and enable image building (#149) Signed-off-by: Andrei Kvapil --- Makefile | 1 + packages/system/kubeovn/Makefile | 21 +- .../system/kubeovn/charts/kube-ovn/Chart.yaml | 4 +- .../system/kubeovn/charts/kube-ovn/README.md | 8 +- .../kubeovn/charts/kube-ovn/crds/crd.yaml | 2278 ----------------- .../system/kubeovn/charts/kube-ovn/images | 1 + .../charts/kube-ovn/kube-ovn/Chart.yaml | 24 - .../charts/kube-ovn/kube-ovn/README.md | 42 - .../kube-ovn/kube-ovn/templates/_helpers.tpl | 54 - .../kube-ovn/templates/central-deploy.yaml | 161 -- .../kube-ovn/templates/controller-deploy.yaml | 190 -- .../kube-ovn/templates/controller-svc.yaml | 16 - .../kube-ovn/templates/monitor-deploy.yaml | 139 - .../kube-ovn/templates/monitor-svc.yaml | 18 - .../kube-ovn/kube-ovn/templates/nb-svc.yaml | 19 - .../kube-ovn/templates/northd-svc.yaml | 19 - .../kube-ovn/kube-ovn/templates/ovn-CR.yaml | 256 -- .../kube-ovn/kube-ovn/templates/ovn-CRB.yaml | 54 - .../kube-ovn/templates/ovn-dpdk-ds.yaml | 164 -- .../kube-ovn/kube-ovn/templates/ovn-sa.yaml | 34 - .../kube-ovn/templates/ovn-tls-secret.yaml | 23 - .../kube-ovn/templates/ovncni-ds.yaml | 206 -- .../kube-ovn/templates/ovncni-svc.yaml | 16 - .../kube-ovn/templates/ovsovn-ds.yaml | 221 -- .../kube-ovn/templates/pinger-ds.yaml | 137 - .../kube-ovn/templates/pinger-svc.yaml | 16 - .../kube-ovn/templates/pre-delete-hook.yaml | 123 - .../kube-ovn/kube-ovn/templates/sb-svc.yaml | 19 - .../kube-ovn/templates/upgrade-ovs-ovn.yaml | 163 -- .../kube-ovn/templates/vpc-nat-config.yaml | 10 - .../charts/kube-ovn/kube-ovn/values.yaml | 181 -- .../charts/kube-ovn/templates/_helpers.tpl | 25 + .../kube-ovn/templates/central-deploy.yaml | 14 +- .../kube-ovn/templates/controller-deploy.yaml | 41 +- .../templates/ic-controller-deploy.yaml | 2 +- .../templates/kube-ovn-crd.yaml | 37 + .../kube-ovn/templates/monitor-deploy.yaml | 2 +- .../charts/kube-ovn/templates/ovn-CR.yaml | 86 +- .../kube-ovn/templates/ovn-dpdk-ds.yaml | 2 +- .../charts/kube-ovn/templates/ovncni-ds.yaml | 23 +- .../charts/kube-ovn/templates/ovsovn-ds.yaml | 15 +- .../charts/kube-ovn/templates/pinger-ds.yaml | 2 +- .../kube-ovn/templates/pre-delete-hook.yaml | 2 +- .../kube-ovn/templates/upgrade-ovs-ovn.yaml | 31 +- .../kube-ovn/templates/vpc-nat-config.yaml | 2 +- .../kubeovn/charts/kube-ovn/values.yaml | 14 +- packages/system/kubeovn/images/kubeovn.json | 4 + packages/system/kubeovn/images/kubeovn.tag | 1 + .../system/kubeovn/images/kubeovn/Dockerfile | 43 + .../system/kubeovn/patches/cozyconfig.diff | 97 + .../system/kubeovn/templates/_helpers.tpl | 3 + packages/system/kubeovn/values.yaml | 8 - 52 files changed, 359 insertions(+), 4713 deletions(-) delete mode 100644 packages/system/kubeovn/charts/kube-ovn/crds/crd.yaml create mode 120000 packages/system/kubeovn/charts/kube-ovn/images delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/Chart.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/README.md delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/_helpers.tpl delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/central-deploy.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-deploy.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-svc.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-deploy.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-svc.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/nb-svc.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/northd-svc.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CR.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CRB.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-dpdk-ds.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-sa.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-tls-secret.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-ds.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-svc.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovsovn-ds.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-ds.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-svc.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pre-delete-hook.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/sb-svc.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/upgrade-ovs-ovn.yaml delete mode 100755 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/vpc-nat-config.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/values.yaml rename packages/system/kubeovn/charts/kube-ovn/{kube-ovn => }/templates/ic-controller-deploy.yaml (95%) rename packages/system/kubeovn/charts/kube-ovn/{kube-ovn => }/templates/kube-ovn-crd.yaml (98%) create mode 100644 packages/system/kubeovn/images/kubeovn.json create mode 100644 packages/system/kubeovn/images/kubeovn.tag create mode 100644 packages/system/kubeovn/images/kubeovn/Dockerfile create mode 100644 packages/system/kubeovn/patches/cozyconfig.diff create mode 100644 packages/system/kubeovn/templates/_helpers.tpl diff --git a/Makefile b/Makefile index e60ea514..0ef2d210 100644 --- a/Makefile +++ b/Makefile @@ -3,6 +3,7 @@ build: make -C packages/apps/http-cache image make -C packages/apps/kubernetes image + make -C packages/system/kubeovn image make -C packages/system/dashboard image make -C packages/core/installer image make manifests diff --git a/packages/system/kubeovn/Makefile b/packages/system/kubeovn/Makefile index 8ab3423c..9f0d8b98 100644 --- a/packages/system/kubeovn/Makefile +++ b/packages/system/kubeovn/Makefile @@ -1,9 +1,28 @@ +KUBEOVN_TAG = v1.13.0 + NAME=kubeovn NAMESPACE=cozy-$(NAME) +include ../../../scripts/common-envs.mk include ../../../scripts/package-system.mk update: rm -rf charts && mkdir -p charts/kube-ovn curl -sSL https://github.com/kubeovn/kube-ovn/archive/refs/heads/master.tar.gz | \ - tar -C charts/kube-ovn -xzvf - --strip 2 kube-ovn-master/charts + tar xzvf - --strip 1 kube-ovn-master/charts + patch -p4 --no-backup-if-mismatch < patches/cozyconfig.diff + ln -s ../../images charts/kube-ovn/images + sed -i '/image:/ s/{{.*}}/{{ include "kubeovn.image" . }}/g' `grep -rl image: charts/kube-ovn/templates/` + +image: + docker buildx build images/kubeovn \ + --provenance false \ + --tag $(REGISTRY)/kubeovn:$(call settag,$(TAG)) \ + --tag $(REGISTRY)/kubeovn:$(call settag,$(KUBEOVN_TAG)) \ + --tag $(REGISTRY)/kubeovn:$(call settag,$(KUBEOVN_TAG)-$(TAG)) \ + --cache-from type=registry,ref=$(REGISTRY)/kubeovn:latest \ + --cache-to type=inline \ + --metadata-file images/kubeovn.json \ + --push=$(PUSH) \ + --load=$(LOAD) + echo "$(REGISTRY)/kubeovn:$(call settag,$(TAG))" > images/kubeovn.tag diff --git a/packages/system/kubeovn/charts/kube-ovn/Chart.yaml b/packages/system/kubeovn/charts/kube-ovn/Chart.yaml index 1cb8212f..0978817b 100644 --- a/packages/system/kubeovn/charts/kube-ovn/Chart.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/Chart.yaml @@ -15,10 +15,12 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 1.13.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. appVersion: "1.13.0" + +kubeVersion: ">= 1.23.0-0" diff --git a/packages/system/kubeovn/charts/kube-ovn/README.md b/packages/system/kubeovn/charts/kube-ovn/README.md index f9295ca9..3af408e6 100644 --- a/packages/system/kubeovn/charts/kube-ovn/README.md +++ b/packages/system/kubeovn/charts/kube-ovn/README.md @@ -10,13 +10,13 @@ $ kubectl label node -lnode-role.kubernetes.io/control-plane kube-ovn/role=mast $ kubectl label node -lovn.kubernetes.io/ovs_dp_type!=userspace ovn.kubernetes.io/ovs_dp_type=kernel --overwrite # standard install -$ helm install --debug kubeovn ./charts --set MASTER_NODES=${Node0} +$ helm install --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0} # high availability install -$ helm install --debug kubeovn ./charts --set MASTER_NODES=${Node0},${Node1},${Node2} +$ helm install --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0},${Node1},${Node2} # upgrade to this version -$ helm upgrade --debug kubeovn ./charts --set MASTER_NODES=${Node0},${Node1},${Node2} +$ helm upgrade --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0},${Node1},${Node2} ``` If `MASTER_NODES` unspecified Helm will take internal IPs of nodes with `kube-ovn/role=master` label @@ -32,7 +32,7 @@ machine: - name: openvswitch ``` -and use the following options for install this Helm-chart: +and use the following options to install this Helm-chart: ``` --set cni_conf.MOUNT_LOCAL_BIN_DIR=false diff --git a/packages/system/kubeovn/charts/kube-ovn/crds/crd.yaml b/packages/system/kubeovn/charts/kube-ovn/crds/crd.yaml deleted file mode 100644 index 2d545cc2..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/crds/crd.yaml +++ /dev/null @@ -1,2278 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vpc-dnses.kubeovn.io -spec: - group: kubeovn.io - names: - plural: vpc-dnses - singular: vpc-dns - shortNames: - - vpc-dns - kind: VpcDns - listKind: VpcDnsList - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.active - name: Active - type: boolean - - jsonPath: .spec.vpc - name: Vpc - type: string - - jsonPath: .spec.subnet - name: Subnet - type: string - name: v1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - vpc: - type: string - subnet: - type: string - replicas: - type: integer - minimum: 1 - maximum: 3 - status: - type: object - properties: - active: - type: boolean - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: switch-lb-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: switch-lb-rules - singular: switch-lb-rule - shortNames: - - slr - kind: SwitchLBRule - listKind: SwitchLBRuleList - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.vip - name: vip - type: string - - jsonPath: .status.ports - name: port(s) - type: string - - jsonPath: .status.service - name: service - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - namespace: - type: string - vip: - type: string - sessionAffinity: - type: string - ports: - items: - properties: - name: - type: string - port: - type: integer - minimum: 1 - maximum: 65535 - protocol: - type: string - targetPort: - type: integer - minimum: 1 - maximum: 65535 - type: object - type: array - selector: - items: - type: string - type: array - status: - type: object - properties: - ports: - type: string - service: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vpc-nat-gateways.kubeovn.io -spec: - group: kubeovn.io - names: - plural: vpc-nat-gateways - singular: vpc-nat-gateway - shortNames: - - vpc-nat-gw - kind: VpcNatGateway - listKind: VpcNatGatewayList - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.vpc - name: Vpc - type: string - - jsonPath: .spec.subnet - name: Subnet - type: string - - jsonPath: .spec.lanIp - name: LanIP - type: string - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - lanIp: - type: string - subnet: - type: string - externalSubnets: - items: - type: string - type: array - vpc: - type: string - selector: - type: array - items: - type: string - tolerations: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - enum: - - Equal - - Exists - value: - type: string - effect: - type: string - enum: - - NoExecute - - NoSchedule - - PreferNoSchedule - tolerationSeconds: - type: integer - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - x-kubernetes-patch-strategy: merge - x-kubernetes-patch-merge-key: key - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - x-kubernetes-patch-strategy: merge - x-kubernetes-patch-merge-key: key - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - x-kubernetes-patch-strategy: merge - x-kubernetes-patch-merge-key: key - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - x-kubernetes-patch-strategy: merge - x-kubernetes-patch-merge-key: key - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: iptables-eips.kubeovn.io -spec: - group: kubeovn.io - names: - plural: iptables-eips - singular: iptables-eip - shortNames: - - eip - kind: IptablesEIP - listKind: IptablesEIPList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.ip - name: IP - type: string - - jsonPath: .spec.macAddress - name: Mac - type: string - - jsonPath: .status.nat - name: Nat - type: string - - jsonPath: .spec.natGwDp - name: NatGwDp - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - ip: - type: string - nat: - type: string - redo: - type: string - qosPolicy: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - v4ip: - type: string - v6ip: - type: string - macAddress: - type: string - natGwDp: - type: string - qosPolicy: - type: string - externalSubnet: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: iptables-fip-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: iptables-fip-rules - singular: iptables-fip-rule - shortNames: - - fip - kind: IptablesFIPRule - listKind: IptablesFIPRuleList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .spec.eip - name: Eip - type: string - - jsonPath: .status.v4ip - name: V4ip - type: string - - jsonPath: .spec.internalIp - name: InternalIp - type: string - - jsonPath: .status.v6ip - name: V6ip - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .status.natGwDp - name: NatGwDp - type: string - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4ip: - type: string - v6ip: - type: string - natGwDp: - type: string - redo: - type: string - internalIp: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - eip: - type: string - internalIp: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: iptables-dnat-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: iptables-dnat-rules - singular: iptables-dnat-rule - shortNames: - - dnat - kind: IptablesDnatRule - listKind: IptablesDnatRuleList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .spec.eip - name: Eip - type: string - - jsonPath: .spec.protocol - name: Protocol - type: string - - jsonPath: .status.v4ip - name: V4ip - type: string - - jsonPath: .status.v6ip - name: V6ip - type: string - - jsonPath: .spec.internalIp - name: InternalIp - type: string - - jsonPath: .spec.externalPort - name: ExternalPort - type: string - - jsonPath: .spec.internalPort - name: InternalPort - type: string - - jsonPath: .status.natGwDp - name: NatGwDp - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4ip: - type: string - v6ip: - type: string - natGwDp: - type: string - redo: - type: string - protocol: - type: string - internalIp: - type: string - internalPort: - type: string - externalPort: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - eip: - type: string - externalPort: - type: string - protocol: - type: string - internalIp: - type: string - internalPort: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: iptables-snat-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: iptables-snat-rules - singular: iptables-snat-rule - shortNames: - - snat - kind: IptablesSnatRule - listKind: IptablesSnatRuleList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .spec.eip - name: EIP - type: string - - jsonPath: .status.v4ip - name: V4ip - type: string - - jsonPath: .status.v6ip - name: V6ip - type: string - - jsonPath: .spec.internalCIDR - name: InternalCIDR - type: string - - jsonPath: .status.natGwDp - name: NatGwDp - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4ip: - type: string - v6ip: - type: string - natGwDp: - type: string - redo: - type: string - internalCIDR: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - eip: - type: string - internalCIDR: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ovn-eips.kubeovn.io -spec: - group: kubeovn.io - names: - plural: ovn-eips - singular: ovn-eip - shortNames: - - oeip - kind: OvnEip - listKind: OvnEipList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.v4Ip - name: V4IP - type: string - - jsonPath: .status.v6Ip - name: V6IP - type: string - - jsonPath: .status.macAddress - name: Mac - type: string - - jsonPath: .status.type - name: Type - type: string - - jsonPath: .status.nat - name: Nat - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - type: - type: string - nat: - type: string - ready: - type: boolean - v4Ip: - type: string - v6Ip: - type: string - macAddress: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - externalSubnet: - type: string - type: - type: string - v4Ip: - type: string - v6Ip: - type: string - macAddress: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ovn-fips.kubeovn.io -spec: - group: kubeovn.io - names: - plural: ovn-fips - singular: ovn-fip - shortNames: - - ofip - kind: OvnFip - listKind: OvnFipList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.vpc - name: Vpc - type: string - - jsonPath: .status.v4Eip - name: V4Eip - type: string - - jsonPath: .status.v4Ip - name: V4Ip - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .spec.ipType - name: IpType - type: string - - jsonPath: .spec.ipName - name: IpName - type: string - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4Eip: - type: string - v4Ip: - type: string - vpc: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - ovnEip: - type: string - ipType: - type: string - ipName: - type: string - vpc: - type: string - v4Ip: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ovn-snat-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: ovn-snat-rules - singular: ovn-snat-rule - shortNames: - - osnat - kind: OvnSnatRule - listKind: OvnSnatRuleList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.vpc - name: Vpc - type: string - - jsonPath: .status.v4Eip - name: V4Eip - type: string - - jsonPath: .status.v4IpCidr - name: V4IpCidr - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4Eip: - type: string - v4IpCidr: - type: string - vpc: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - ovnEip: - type: string - vpcSubnet: - type: string - ipName: - type: string - vpc: - type: string - v4IpCidr: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ovn-dnat-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: ovn-dnat-rules - singular: ovn-dnat-rule - shortNames: - - odnat - kind: OvnDnatRule - listKind: OvnDnatRuleList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.vpc - name: Vpc - type: string - - jsonPath: .spec.ovnEip - name: Eip - type: string - - jsonPath: .status.protocol - name: Protocol - type: string - - jsonPath: .status.v4Eip - name: V4Eip - type: string - - jsonPath: .status.v4Ip - name: V4Ip - type: string - - jsonPath: .status.internalPort - name: InternalPort - type: string - - jsonPath: .status.externalPort - name: ExternalPort - type: string - - jsonPath: .spec.ipName - name: IpName - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4Eip: - type: string - v4Ip: - type: string - vpc: - type: string - externalPort: - type: string - internalPort: - type: string - protocol: - type: string - ipName: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - ovnEip: - type: string - ipType: - type: string - ipName: - type: string - externalPort: - type: string - internalPort: - type: string - protocol: - type: string - vpc: - type: string - v4Ip: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vpcs.kubeovn.io -spec: - group: kubeovn.io - versions: - - additionalPrinterColumns: - - jsonPath: .status.enableExternal - name: EnableExternal - type: boolean - - jsonPath: .status.enableBfd - name: EnableBfd - type: boolean - - jsonPath: .status.standby - name: Standby - type: boolean - - jsonPath: .status.subnets - name: Subnets - type: string - - jsonPath: .status.extraExternalSubnets - name: ExtraExternalSubnets - type: string - - jsonPath: .spec.namespaces - name: Namespaces - type: string - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - enableExternal: - type: boolean - enableBfd: - type: boolean - namespaces: - items: - type: string - type: array - extraExternalSubnets: - items: - type: string - type: array - staticRoutes: - items: - properties: - policy: - type: string - cidr: - type: string - nextHopIP: - type: string - ecmpMode: - type: string - bfdId: - type: string - routeTable: - type: string - type: object - type: array - policyRoutes: - items: - properties: - priority: - type: integer - action: - type: string - match: - type: string - nextHopIP: - type: string - type: object - type: array - vpcPeerings: - items: - properties: - remoteVpc: - type: string - localConnectIP: - type: string - type: object - type: array - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - lastUpdateTime: - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - type: object - type: array - default: - type: boolean - defaultLogicalSwitch: - type: string - router: - type: string - standby: - type: boolean - enableExternal: - type: boolean - enableBfd: - type: boolean - subnets: - items: - type: string - type: array - extraExternalSubnets: - items: - type: string - type: array - vpcPeerings: - items: - type: string - type: array - tcpLoadBalancer: - type: string - tcpSessionLoadBalancer: - type: string - udpLoadBalancer: - type: string - udpSessionLoadBalancer: - type: string - sctpLoadBalancer: - type: string - sctpSessionLoadBalancer: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - names: - kind: Vpc - listKind: VpcList - plural: vpcs - shortNames: - - vpc - singular: vpc - scope: Cluster ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ips.kubeovn.io -spec: - group: kubeovn.io - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - name: V4IP - type: string - jsonPath: .spec.v4IpAddress - - name: V6IP - type: string - jsonPath: .spec.v6IpAddress - - name: Mac - type: string - jsonPath: .spec.macAddress - - name: Node - type: string - jsonPath: .spec.nodeName - - name: Subnet - type: string - jsonPath: .spec.subnet - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - podName: - type: string - namespace: - type: string - subnet: - type: string - attachSubnets: - type: array - items: - type: string - nodeName: - type: string - ipAddress: - type: string - v4IpAddress: - type: string - v6IpAddress: - type: string - attachIps: - type: array - items: - type: string - macAddress: - type: string - attachMacs: - type: array - items: - type: string - containerID: - type: string - podType: - type: string - scope: Cluster - names: - plural: ips - singular: ip - kind: IP - shortNames: - - ip ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.kubeovn.io -spec: - group: kubeovn.io - names: - plural: vips - singular: vip - shortNames: - - vip - kind: Vip - listKind: VipList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - name: V4IP - type: string - jsonPath: .status.v4ip - - name: V6IP - type: string - jsonPath: .status.v6ip - - name: Mac - type: string - jsonPath: .status.mac - - name: PMac - type: string - jsonPath: .spec.parentMac - - name: Subnet - type: string - jsonPath: .spec.subnet - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .status.type - name: Type - type: string - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - type: - type: string - ready: - type: boolean - v4ip: - type: string - v6ip: - type: string - mac: - type: string - pv4ip: - type: string - pv6ip: - type: string - pmac: - type: string - selector: - type: array - items: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - namespace: - type: string - subnet: - type: string - type: - type: string - attachSubnets: - type: array - items: - type: string - v4ip: - type: string - macAddress: - type: string - v6ip: - type: string - parentV4ip: - type: string - parentMac: - type: string - parentV6ip: - type: string - selector: - type: array - items: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: subnets.kubeovn.io -spec: - group: kubeovn.io - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Provider - type: string - jsonPath: .spec.provider - - name: Vpc - type: string - jsonPath: .spec.vpc - - name: Protocol - type: string - jsonPath: .spec.protocol - - name: CIDR - type: string - jsonPath: .spec.cidrBlock - - name: Private - type: boolean - jsonPath: .spec.private - - name: NAT - type: boolean - jsonPath: .spec.natOutgoing - - name: Default - type: boolean - jsonPath: .spec.default - - name: GatewayType - type: string - jsonPath: .spec.gatewayType - - name: V4Used - type: number - jsonPath: .status.v4usingIPs - - name: V4Available - type: number - jsonPath: .status.v4availableIPs - - name: V6Used - type: number - jsonPath: .status.v6usingIPs - - name: V6Available - type: number - jsonPath: .status.v6availableIPs - - name: ExcludeIPs - type: string - jsonPath: .spec.excludeIps - - name: U2OInterconnectionIP - type: string - jsonPath: .status.u2oInterconnectionIP - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - v4availableIPs: - type: number - v4usingIPs: - type: number - v6availableIPs: - type: number - v6usingIPs: - type: number - activateGateway: - type: string - dhcpV4OptionsUUID: - type: string - dhcpV6OptionsUUID: - type: string - u2oInterconnectionIP: - type: string - u2oInterconnectionVPC: - type: string - v4usingIPrange: - type: string - v4availableIPrange: - type: string - v6usingIPrange: - type: string - v6availableIPrange: - type: string - natOutgoingPolicyRules: - type: array - items: - type: object - properties: - ruleID: - type: string - action: - type: string - enum: - - nat - - forward - match: - type: object - properties: - srcIPs: - type: string - dstIPs: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - vpc: - type: string - default: - type: boolean - protocol: - type: string - enum: - - IPv4 - - IPv6 - - Dual - cidrBlock: - type: string - namespaces: - type: array - items: - type: string - gateway: - type: string - provider: - type: string - excludeIps: - type: array - items: - type: string - vips: - type: array - items: - type: string - gatewayType: - type: string - allowSubnets: - type: array - items: - type: string - gatewayNode: - type: string - natOutgoing: - type: boolean - externalEgressGateway: - type: string - policyRoutingPriority: - type: integer - minimum: 1 - maximum: 32765 - policyRoutingTableID: - type: integer - minimum: 1 - maximum: 2147483647 - not: - enum: - - 252 # compat - - 253 # default - - 254 # main - - 255 # local - mtu: - type: integer - minimum: 68 - maximum: 65535 - private: - type: boolean - vlan: - type: string - logicalGateway: - type: boolean - disableGatewayCheck: - type: boolean - disableInterConnection: - type: boolean - enableDHCP: - type: boolean - dhcpV4Options: - type: string - dhcpV6Options: - type: string - enableIPv6RA: - type: boolean - ipv6RAConfigs: - type: string - allowEWTraffic: - type: boolean - acls: - type: array - items: - type: object - properties: - direction: - type: string - enum: - - from-lport - - to-lport - priority: - type: integer - minimum: 0 - maximum: 32767 - match: - type: string - action: - type: string - enum: - - allow-related - - allow-stateless - - allow - - drop - - reject - natOutgoingPolicyRules: - type: array - items: - type: object - properties: - action: - type: string - enum: - - nat - - forward - match: - type: object - properties: - srcIPs: - type: string - dstIPs: - type: string - u2oInterconnection: - type: boolean - u2oInterconnectionIP: - type: string - enableLb: - type: boolean - enableEcmp: - type: boolean - enableMulticastSnoop: - type: boolean - routeTable: - type: string - scope: Cluster - names: - plural: subnets - singular: subnet - kind: Subnet - shortNames: - - subnet ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ippools.kubeovn.io -spec: - group: kubeovn.io - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Subnet - type: string - jsonPath: .spec.subnet - - name: IPs - type: string - jsonPath: .spec.ips - - name: V4Used - type: number - jsonPath: .status.v4UsingIPs - - name: V4Available - type: number - jsonPath: .status.v4AvailableIPs - - name: V6Used - type: number - jsonPath: .status.v6UsingIPs - - name: V6Available - type: number - jsonPath: .status.v6AvailableIPs - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - subnet: - type: string - x-kubernetes-validations: - - rule: "self == oldSelf" - message: "This field is immutable." - namespaces: - type: array - x-kubernetes-list-type: set - items: - type: string - ips: - type: array - minItems: 1 - x-kubernetes-list-type: set - items: - type: string - anyOf: - - format: ipv4 - - format: ipv6 - - format: cidr - - pattern: ^(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.\.(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])$ - - pattern: ^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))\.\.((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))$ - required: - - subnet - - ips - status: - type: object - properties: - v4AvailableIPs: - type: number - v4UsingIPs: - type: number - v6AvailableIPs: - type: number - v6UsingIPs: - type: number - v4AvailableIPRange: - type: string - v4UsingIPRange: - type: string - v6AvailableIPRange: - type: string - v6UsingIPRange: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - scope: Cluster - names: - plural: ippools - singular: ippool - kind: IPPool - shortNames: - - ippool ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vlans.kubeovn.io -spec: - group: kubeovn.io - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - id: - type: integer - minimum: 0 - maximum: 4095 - provider: - type: string - vlanId: - type: integer - description: Deprecated in favor of id - providerInterfaceName: - type: string - description: Deprecated in favor of provider - required: - - provider - status: - type: object - properties: - subnets: - type: array - items: - type: string - additionalPrinterColumns: - - name: ID - type: string - jsonPath: .spec.id - - name: Provider - type: string - jsonPath: .spec.provider - scope: Cluster - names: - plural: vlans - singular: vlan - kind: Vlan - shortNames: - - vlan ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: provider-networks.kubeovn.io -spec: - group: kubeovn.io - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - properties: - metadata: - type: object - properties: - name: - type: string - maxLength: 12 - not: - enum: - - int - spec: - type: object - properties: - defaultInterface: - type: string - maxLength: 15 - pattern: '^[^/\s]+$' - customInterfaces: - type: array - items: - type: object - properties: - interface: - type: string - maxLength: 15 - pattern: '^[^/\s]+$' - nodes: - type: array - items: - type: string - exchangeLinkName: - type: boolean - excludeNodes: - type: array - items: - type: string - required: - - defaultInterface - status: - type: object - properties: - ready: - type: boolean - readyNodes: - type: array - items: - type: string - notReadyNodes: - type: array - items: - type: string - vlans: - type: array - items: - type: string - conditions: - type: array - items: - type: object - properties: - node: - type: string - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - additionalPrinterColumns: - - name: DefaultInterface - type: string - jsonPath: .spec.defaultInterface - - name: Ready - type: boolean - jsonPath: .status.ready - scope: Cluster - names: - plural: provider-networks - singular: provider-network - kind: ProviderNetwork - listKind: ProviderNetworkList ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: security-groups.kubeovn.io -spec: - group: kubeovn.io - names: - plural: security-groups - singular: security-group - shortNames: - - sg - kind: SecurityGroup - listKind: SecurityGroupList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ingressRules: - type: array - items: - type: object - properties: - ipVersion: - type: string - protocol: - type: string - priority: - type: integer - remoteType: - type: string - remoteAddress: - type: string - remoteSecurityGroup: - type: string - portRangeMin: - type: integer - portRangeMax: - type: integer - policy: - type: string - egressRules: - type: array - items: - type: object - properties: - ipVersion: - type: string - protocol: - type: string - priority: - type: integer - remoteType: - type: string - remoteAddress: - type: string - remoteSecurityGroup: - type: string - portRangeMin: - type: integer - portRangeMax: - type: integer - policy: - type: string - allowSameGroupTraffic: - type: boolean - status: - type: object - properties: - portGroup: - type: string - allowSameGroupTraffic: - type: boolean - ingressMd5: - type: string - egressMd5: - type: string - ingressLastSyncSuccess: - type: boolean - egressLastSyncSuccess: - type: boolean - subresources: - status: {} - conversion: - strategy: None ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: qos-policies.kubeovn.io -spec: - group: kubeovn.io - names: - plural: qos-policies - singular: qos-policy - shortNames: - - qos - kind: QoSPolicy - listKind: QoSPolicyList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .spec.shared - name: Shared - type: string - - jsonPath: .spec.bindingType - name: BindingType - type: string - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - shared: - type: boolean - bindingType: - type: string - bandwidthLimitRules: - type: array - items: - type: object - properties: - name: - type: string - interface: - type: string - rateMax: - type: string - burstMax: - type: string - priority: - type: integer - direction: - type: string - matchType: - type: string - matchValue: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - shared: - type: boolean - bindingType: - type: string - bandwidthLimitRules: - type: array - items: - type: object - properties: - name: - type: string - interface: - type: string - rateMax: - type: string - burstMax: - type: string - priority: - type: integer - direction: - type: string - matchType: - type: string - matchValue: - type: string - required: - - name - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map diff --git a/packages/system/kubeovn/charts/kube-ovn/images b/packages/system/kubeovn/charts/kube-ovn/images new file mode 120000 index 00000000..5fa69870 --- /dev/null +++ b/packages/system/kubeovn/charts/kube-ovn/images @@ -0,0 +1 @@ +../../images \ No newline at end of file diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/Chart.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/Chart.yaml deleted file mode 100644 index fce1b220..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v2 -name: kube-ovn -description: Helm chart for Kube-OVN - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.13.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "1.13.0" diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/README.md b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/README.md deleted file mode 100644 index 3af408e6..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/README.md +++ /dev/null @@ -1,42 +0,0 @@ -# Kube-OVN-helm - -Currently supported version: 1.9 - -Installation : - -```bash -$ kubectl label node -lbeta.kubernetes.io/os=linux kubernetes.io/os=linux --overwrite -$ kubectl label node -lnode-role.kubernetes.io/control-plane kube-ovn/role=master --overwrite -$ kubectl label node -lovn.kubernetes.io/ovs_dp_type!=userspace ovn.kubernetes.io/ovs_dp_type=kernel --overwrite - -# standard install -$ helm install --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0} - -# high availability install -$ helm install --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0},${Node1},${Node2} - -# upgrade to this version -$ helm upgrade --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0},${Node1},${Node2} -``` - -If `MASTER_NODES` unspecified Helm will take internal IPs of nodes with `kube-ovn/role=master` label - -### Talos Linux - -To install Kube-OVN on Talos Linux, declare openvswitch module in machine config: - -``` -machine: - kernel: - modules: - - name: openvswitch -``` - -and use the following options to install this Helm-chart: - -``` ---set cni_conf.MOUNT_LOCAL_BIN_DIR=false ---set OPENVSWITCH_DIR=/var/lib/openvswitch ---set OVN_DIR=/var/lib/ovn ---set DISABLE_MODULES_MANAGEMENT=true -``` diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/_helpers.tpl b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/_helpers.tpl deleted file mode 100644 index 7b473941..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/_helpers.tpl +++ /dev/null @@ -1,54 +0,0 @@ -{{/* -Get IP-addresses of master nodes -*/}} -{{- define "kubeovn.nodeIPs" -}} -{{- $nodes := lookup "v1" "Node" "" "" -}} -{{- $ips := list -}} -{{- range $node := $nodes.items -}} - {{- $label := splitList "=" $.Values.MASTER_NODES_LABEL }} - {{- $key := index $label 0 }} - {{- $val := "" }} - {{- if eq (len $label) 2 }} - {{- $val = index $label 1 }} - {{- end }} - {{- if eq (index $node.metadata.labels $key) $val -}} - {{- range $address := $node.status.addresses -}} - {{- if eq $address.type "InternalIP" -}} - {{- $ips = append $ips $address.address -}} - {{- break -}} - {{- end -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{ join "," $ips }} -{{- end -}} - -{{/* -Number of master nodes -*/}} -{{- define "kubeovn.nodeCount" -}} - {{- len (split "," (.Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .))) }} -{{- end -}} - -{{- define "kubeovn.ovs-ovn.updateStrategy" -}} - {{- $ds := lookup "apps/v1" "DaemonSet" $.Values.namespace "ovs-ovn" -}} - {{- if $ds -}} - {{- if eq $ds.spec.updateStrategy.type "RollingUpdate" -}} - RollingUpdate - {{- else -}} - {{- $imageVersion := (index $ds.spec.template.spec.containers 0).image | splitList ":" | last | trimPrefix "v" -}} - {{- $versionRegex := `^(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)` -}} - {{- if regexMatch $versionRegex $imageVersion -}} - {{- if regexFind $versionRegex $imageVersion | semverCompare ">= 1.12.0" -}} - RollingUpdate - {{- else -}} - OnDelete - {{- end -}} - {{- else -}} - OnDelete - {{- end -}} - {{- end -}} - {{- else -}} - RollingUpdate - {{- end -}} -{{- end -}} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/central-deploy.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/central-deploy.yaml deleted file mode 100644 index 0f4044b4..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/central-deploy.yaml +++ /dev/null @@ -1,161 +0,0 @@ -kind: Deployment -apiVersion: apps/v1 -metadata: - name: ovn-central - namespace: {{ .Values.namespace }} - annotations: - kubernetes.io/description: | - OVN components: northd, nb and sb. -spec: - replicas: {{ include "kubeovn.nodeCount" . }} - strategy: - rollingUpdate: - maxSurge: 0 - maxUnavailable: 1 - type: RollingUpdate - selector: - matchLabels: - app: ovn-central - template: - metadata: - labels: - app: ovn-central - component: network - type: infra - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app: ovn-central - topologyKey: kubernetes.io/hostname - priorityClassName: system-cluster-critical - serviceAccountName: ovn-ovs - hostNetwork: true - containers: - - name: ovn-central - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - /kube-ovn/start-db.sh - securityContext: - capabilities: - add: ["SYS_NICE"] - env: - - name: ENABLE_SSL - value: "{{ .Values.networking.ENABLE_SSL }}" - - name: NODE_IPS - value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}" - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_IPS - valueFrom: - fieldRef: - fieldPath: status.podIPs - - name: ENABLE_BIND_LOCAL_IP - value: "{{- .Values.func.ENABLE_BIND_LOCAL_IP }}" - - name: PROBE_INTERVAL - value: "{{ .Values.networking.PROBE_INTERVAL }}" - - name: OVN_NORTHD_PROBE_INTERVAL - value: "{{ .Values.networking.OVN_NORTHD_PROBE_INTERVAL}}" - - name: OVN_LEADER_PROBE_INTERVAL - value: "{{ .Values.networking.OVN_LEADER_PROBE_INTERVAL }}" - - name: OVN_NORTHD_N_THREADS - value: "{{ .Values.networking.OVN_NORTHD_N_THREADS }}" - - name: ENABLE_COMPACT - value: "{{ .Values.networking.ENABLE_COMPACT }}" - {{- if include "kubeovn.ovs-ovn.updateStrategy" . | eq "OnDelete" }} - - name: OVN_VERSION_COMPATIBILITY - value: "21.06" - {{- end }} - resources: - requests: - cpu: {{ index .Values "ovn-central" "requests" "cpu" }} - memory: {{ index .Values "ovn-central" "requests" "memory" }} - limits: - cpu: {{ index .Values "ovn-central" "limits" "cpu" }} - memory: {{ index .Values "ovn-central" "limits" "memory" }} - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-run-ovs - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /etc/ovn - name: host-config-ovn - - mountPath: /var/log/openvswitch - name: host-log-ovs - - mountPath: /var/log/ovn - name: host-log-ovn - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/run/tls - name: kube-ovn-tls - readinessProbe: - exec: - command: - - bash - - /kube-ovn/ovn-healthcheck.sh - periodSeconds: 15 - timeoutSeconds: 45 - livenessProbe: - exec: - command: - - bash - - /kube-ovn/ovn-healthcheck.sh - initialDelaySeconds: 30 - periodSeconds: 15 - failureThreshold: 5 - timeoutSeconds: 45 - nodeSelector: - kubernetes.io/os: "linux" - {{- with splitList "=" .Values.MASTER_NODES_LABEL }} - {{ index . 0 }}: "{{ if eq (len .) 2 }}{{ index . 1 }}{{ end }}" - {{- end }} - volumes: - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-config-openvswitch - hostPath: - path: {{ .Values.OPENVSWITCH_DIR }} - - name: host-config-ovn - hostPath: - path: {{ .Values.OVN_DIR }} - - name: host-log-ovs - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/openvswitch - - name: host-log-ovn - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls - diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-deploy.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-deploy.yaml deleted file mode 100644 index cea79b7d..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-deploy.yaml +++ /dev/null @@ -1,190 +0,0 @@ -kind: Deployment -apiVersion: apps/v1 -metadata: - name: kube-ovn-controller - namespace: {{ .Values.namespace }} - annotations: - kubernetes.io/description: | - kube-ovn controller -spec: - replicas: {{ include "kubeovn.nodeCount" . }} - selector: - matchLabels: - app: kube-ovn-controller - strategy: - rollingUpdate: - maxSurge: 0% - maxUnavailable: 100% - type: RollingUpdate - template: - metadata: - labels: - app: kube-ovn-controller - component: network - type: infra - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: "ovn.kubernetes.io/ic-gw" - operator: NotIn - values: - - "true" - weight: 100 - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app: kube-ovn-controller - topologyKey: kubernetes.io/hostname - priorityClassName: system-cluster-critical - serviceAccountName: ovn - hostNetwork: true - containers: - - name: kube-ovn-controller - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - - /kube-ovn/start-controller.sh - - --default-ls={{ .Values.networking.DEFAULT_SUBNET }} - - --default-cidr= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.POD_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.POD_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.POD_CIDR }} - {{- end }} - - --default-gateway= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.POD_GATEWAY }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.POD_GATEWAY }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.POD_GATEWAY }} - {{- end }} - - --default-gateway-check={{- .Values.func.CHECK_GATEWAY }} - - --default-logical-gateway={{- .Values.func.LOGICAL_GATEWAY }} - - --default-u2o-interconnection={{- .Values.func.U2O_INTERCONNECTION }} - - --default-exclude-ips={{- .Values.networking.EXCLUDE_IPS }} - - --cluster-router={{ .Values.networking.DEFAULT_VPC }} - - --node-switch={{ .Values.networking.NODE_SUBNET }} - - --node-switch-cidr= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.JOIN_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.JOIN_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.JOIN_CIDR }} - {{- end }} - - --service-cluster-ip-range= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.SVC_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.SVC_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.SVC_CIDR }} - {{- end }} - - --network-type={{- .Values.networking.NETWORK_TYPE }} - - --default-provider-name={{ .Values.networking.vlan.PROVIDER_NAME }} - - --default-interface-name={{- .Values.networking.vlan.VLAN_INTERFACE_NAME }} - - --default-exchange-link-name={{- .Values.networking.EXCHANGE_LINK_NAME }} - - --default-vlan-name={{- .Values.networking.vlan.VLAN_NAME }} - - --default-vlan-id={{- .Values.networking.vlan.VLAN_ID }} - - --ls-dnat-mod-dl-dst={{- .Values.func.LS_DNAT_MOD_DL_DST }} - - --ls-ct-skip-dst-lport-ips={{- .Values.func.LS_CT_SKIP_DST_LPORT_IPS }} - - --pod-nic-type={{- .Values.networking.POD_NIC_TYPE }} - - --enable-lb={{- .Values.func.ENABLE_LB }} - - --enable-np={{- .Values.func.ENABLE_NP }} - - --enable-eip-snat={{- .Values.networking.ENABLE_EIP_SNAT }} - - --enable-external-vpc={{- .Values.func.ENABLE_EXTERNAL_VPC }} - - --enable-ecmp={{- .Values.networking.ENABLE_ECMP }} - - --logtostderr=false - - --alsologtostderr=true - - --gc-interval={{- .Values.performance.GC_INTERVAL }} - - --inspect-interval={{- .Values.performance.INSPECT_INTERVAL }} - - --log_file=/var/log/kube-ovn/kube-ovn-controller.log - - --log_file_max_size=0 - - --enable-lb-svc={{- .Values.func.ENABLE_LB_SVC }} - - --keep-vm-ip={{- .Values.func.ENABLE_KEEP_VM_IP }} - - --enable-metrics={{- .Values.networking.ENABLE_METRICS }} - - --node-local-dns-ip={{- .Values.networking.NODE_LOCAL_DNS_IP }} - env: - - name: ENABLE_SSL - value: "{{ .Values.networking.ENABLE_SSL }}" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KUBE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: OVN_DB_IPS - value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}" - - name: POD_IPS - valueFrom: - fieldRef: - fieldPath: status.podIPs - - name: ENABLE_BIND_LOCAL_IP - value: "{{- .Values.func.ENABLE_BIND_LOCAL_IP }}" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/log/kube-ovn - name: kube-ovn-log - # ovn-ic log directory - - mountPath: /var/log/ovn - name: ovn-log - - mountPath: /var/run/tls - name: kube-ovn-tls - readinessProbe: - exec: - command: - - /kube-ovn/kube-ovn-controller-healthcheck - periodSeconds: 3 - timeoutSeconds: 45 - livenessProbe: - exec: - command: - - /kube-ovn/kube-ovn-controller-healthcheck - initialDelaySeconds: 300 - periodSeconds: 7 - failureThreshold: 5 - timeoutSeconds: 45 - resources: - requests: - cpu: {{ index .Values "kube-ovn-controller" "requests" "cpu" }} - memory: {{ index .Values "kube-ovn-controller" "requests" "memory" }} - limits: - cpu: {{ index .Values "kube-ovn-controller" "limits" "cpu" }} - memory: {{ index .Values "kube-ovn-controller" "limits" "memory" }} - nodeSelector: - kubernetes.io/os: "linux" - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-log - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn - - name: ovn-log - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/ovn - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls - diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-svc.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-svc.yaml deleted file mode 100644 index b4d39619..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-svc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: kube-ovn-controller - namespace: {{ .Values.namespace }} - labels: - app: kube-ovn-controller -spec: - selector: - app: kube-ovn-controller - ports: - - port: 10660 - name: metrics - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-deploy.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-deploy.yaml deleted file mode 100644 index b938ebfe..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-deploy.yaml +++ /dev/null @@ -1,139 +0,0 @@ -kind: Deployment -apiVersion: apps/v1 -metadata: - name: kube-ovn-monitor - namespace: {{ .Values.namespace }} - annotations: - kubernetes.io/description: | - Metrics for OVN components: northd, nb and sb. -spec: - replicas: 1 - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 - type: RollingUpdate - selector: - matchLabels: - app: kube-ovn-monitor - template: - metadata: - labels: - app: kube-ovn-monitor - component: network - type: infra - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app: kube-ovn-monitor - topologyKey: kubernetes.io/hostname - priorityClassName: system-cluster-critical - serviceAccountName: kube-ovn-app - hostNetwork: true - containers: - - name: kube-ovn-monitor - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["/kube-ovn/start-ovn-monitor.sh"] - args: - - --log_file=/var/log/kube-ovn/kube-ovn-monitor.log - - --logtostderr=false - - --alsologtostderr=true - - --log_file_max_size=0 - securityContext: - runAsUser: 0 - privileged: false - env: - - name: ENABLE_SSL - value: "{{ .Values.networking.ENABLE_SSL }}" - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: POD_IPS - valueFrom: - fieldRef: - fieldPath: status.podIPs - - name: ENABLE_BIND_LOCAL_IP - value: "{{- .Values.func.ENABLE_BIND_LOCAL_IP }}" - resources: - requests: - cpu: {{ index .Values "kube-ovn-monitor" "requests" "cpu" }} - memory: {{ index .Values "kube-ovn-monitor" "requests" "memory" }} - limits: - cpu: {{ index .Values "kube-ovn-monitor" "limits" "cpu" }} - memory: {{ index .Values "kube-ovn-monitor" "limits" "memory" }} - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-run-ovs - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /etc/ovn - name: host-config-ovn - - mountPath: /var/log/ovn - name: host-log-ovn - readOnly: true - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/run/tls - name: kube-ovn-tls - - mountPath: /var/log/kube-ovn - name: kube-ovn-log - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 7 - successThreshold: 1 - tcpSocket: - port: 10661 - timeoutSeconds: 3 - readinessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 7 - successThreshold: 1 - tcpSocket: - port: 10661 - timeoutSeconds: 3 - nodeSelector: - kubernetes.io/os: "linux" - {{- with splitList "=" .Values.MASTER_NODES_LABEL }} - {{ index . 0 }}: "{{ if eq (len .) 2 }}{{ index . 1 }}{{ end }}" - {{- end }} - volumes: - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-config-openvswitch - hostPath: - path: {{ .Values.OPENVSWITCH_DIR }} - - name: host-config-ovn - hostPath: - path: {{ .Values.OVN_DIR }} - - name: host-log-ovn - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls - - name: kube-ovn-log - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-svc.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-svc.yaml deleted file mode 100644 index 1ad1800d..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-svc.yaml +++ /dev/null @@ -1,18 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: kube-ovn-monitor - namespace: {{ .Values.namespace }} - labels: - app: kube-ovn-monitor -spec: - ports: - - name: metrics - port: 10661 - type: ClusterIP - selector: - app: kube-ovn-monitor - sessionAffinity: None - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/nb-svc.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/nb-svc.yaml deleted file mode 100644 index 43992e91..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/nb-svc.yaml +++ /dev/null @@ -1,19 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: ovn-nb - namespace: {{ .Values.namespace }} -spec: - ports: - - name: ovn-nb - protocol: TCP - port: 6641 - targetPort: 6641 - type: ClusterIP - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} - selector: - app: ovn-central - ovn-nb-leader: "true" - sessionAffinity: None diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/northd-svc.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/northd-svc.yaml deleted file mode 100644 index cec07233..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/northd-svc.yaml +++ /dev/null @@ -1,19 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: ovn-northd - namespace: {{ .Values.namespace }} -spec: - ports: - - name: ovn-northd - protocol: TCP - port: 6643 - targetPort: 6643 - type: ClusterIP - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} - selector: - app: ovn-central - ovn-northd-leader: "true" - sessionAffinity: None diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CR.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CR.yaml deleted file mode 100644 index 69d46ad9..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CR.yaml +++ /dev/null @@ -1,256 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:ovn -rules: - - apiGroups: - - "kubeovn.io" - resources: - - vpcs - - vpcs/status - - vpc-nat-gateways - - vpc-nat-gateways/status - - subnets - - subnets/status - - ippools - - ippools/status - - ips - - vips - - vips/status - - vlans - - vlans/status - - provider-networks - - provider-networks/status - - security-groups - - security-groups/status - - iptables-eips - - iptables-fip-rules - - iptables-dnat-rules - - iptables-snat-rules - - iptables-eips/status - - iptables-fip-rules/status - - iptables-dnat-rules/status - - iptables-snat-rules/status - - ovn-eips - - ovn-fips - - ovn-snat-rules - - ovn-eips/status - - ovn-fips/status - - ovn-snat-rules/status - - ovn-dnat-rules - - ovn-dnat-rules/status - - switch-lb-rules - - switch-lb-rules/status - - vpc-dnses - - vpc-dnses/status - - qos-policies - - qos-policies/status - verbs: - - "*" - - apiGroups: - - "" - resources: - - pods - - namespaces - verbs: - - get - - list - - patch - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - pods/exec - verbs: - - create - - apiGroups: - - "k8s.cni.cncf.io" - resources: - - network-attachment-definitions - verbs: - - get - - apiGroups: - - "" - - networking.k8s.io - resources: - - networkpolicies - - configmaps - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - daemonsets - verbs: - - get - - apiGroups: - - "" - resources: - - services - - services/status - verbs: - - get - - list - - update - - create - - delete - - watch - - apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - update - - get - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets - - deployments - - deployments/scale - verbs: - - get - - list - - create - - delete - - update - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - "*" - - apiGroups: - - "kubevirt.io" - resources: - - virtualmachines - - virtualmachineinstances - verbs: - - get - - list - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:ovn-ovs -rules: - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - patch - - apiGroups: - - "" - resources: - - services - - endpoints - verbs: - - get - - apiGroups: - - apps - resources: - - controllerrevisions - verbs: - - get - - list - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:kube-ovn-cni -rules: - - apiGroups: - - "kubeovn.io" - - "" - resources: - - subnets - - provider-networks - - pods - verbs: - - get - - list - - watch - - apiGroups: - - "" - - "kubeovn.io" - resources: - - ovn-eips - - ovn-eips/status - - nodes - verbs: - - get - - list - - patch - - watch - - apiGroups: - - "kubeovn.io" - resources: - - ips - verbs: - - get - - update - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:kube-ovn-app -rules: - - apiGroups: - - "" - resources: - - pods - - nodes - verbs: - - get - - list - - apiGroups: - - apps - resources: - - daemonsets - verbs: - - get diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CRB.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CRB.yaml deleted file mode 100644 index 9230d900..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CRB.yaml +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ovn -roleRef: - name: system:ovn - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: ovn - namespace: {{ .Values.namespace }} - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ovn-ovs -roleRef: - name: system:ovn-ovs - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: ovn-ovs - namespace: {{ .Values.namespace }} - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kube-ovn-cni -roleRef: - name: system:kube-ovn-cni - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: kube-ovn-cni - namespace: {{ .Values.namespace }} - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kube-ovn-app -roleRef: - name: system:kube-ovn-app - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: kube-ovn-app - namespace: {{ .Values.namespace }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-dpdk-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-dpdk-ds.yaml deleted file mode 100644 index 1d799899..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-dpdk-ds.yaml +++ /dev/null @@ -1,164 +0,0 @@ -{{- if .Values.HYBRID_DPDK }} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: ovs-ovn-dpdk - namespace: {{ .Values.namespace }} - annotations: - kubernetes.io/description: | - This daemon set launches the openvswitch daemon. -spec: - selector: - matchLabels: - app: ovs-dpdk - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: ovs-dpdk - component: network - type: infra - spec: - tolerations: - - operator: Exists - priorityClassName: system-node-critical - serviceAccountName: ovn-ovs - hostNetwork: true - hostPID: true - containers: - - name: openvswitch - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}-dpdk - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["/kube-ovn/start-ovs-dpdk-v2.sh"] - securityContext: - runAsUser: 0 - privileged: true - env: - - name: ENABLE_SSL - value: "{{ .Values.networking.ENABLE_SSL }}" - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: HW_OFFLOAD - value: "{{- .Values.func.HW_OFFLOAD }}" - - name: TUNNEL_TYPE - value: "{{- .Values.networking.TUNNEL_TYPE }}" - - name: DPDK_TUNNEL_IFACE - value: "{{- .Values.networking.DPDK_TUNNEL_IFACE }}" - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: OVN_DB_IPS - value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}" - - name: OVN_REMOTE_PROBE_INTERVAL - value: "{{ .Values.networking.OVN_REMOTE_PROBE_INTERVAL }}" - - name: OVN_REMOTE_OPENFLOW_INTERVAL - value: "{{ .Values.networking.OVN_REMOTE_OPENFLOW_INTERVAL }}" - volumeMounts: - - mountPath: /opt/ovs-config - name: host-config-ovs - - name: shareddir - mountPath: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods - - name: hugepage - mountPath: /dev/hugepages - - mountPath: /lib/modules - name: host-modules - readOnly: true - - mountPath: /var/run/openvswitch - name: host-run-ovs - mountPropagation: HostToContainer - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /sys - name: host-sys - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /etc/ovn - name: host-config-ovn - - mountPath: /var/log/openvswitch - name: host-log-ovs - - mountPath: /var/log/ovn - name: host-log-ovn - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/run/tls - name: kube-ovn-tls - readinessProbe: - exec: - command: - - bash - - -c - - LOG_ROTATE=true /kube-ovn/ovs-healthcheck.sh - periodSeconds: 5 - timeoutSeconds: 45 - livenessProbe: - exec: - command: - - bash - - /kube-ovn/ovs-healthcheck.sh - initialDelaySeconds: 60 - periodSeconds: 5 - failureThreshold: 5 - timeoutSeconds: 45 - resources: - requests: - cpu: {{ index .Values "ovs-ovn" "requests" "cpu" }} - memory: {{ index .Values "ovs-ovn" "requests" "memory" }} - limits: - cpu: {{ index .Values "ovs-ovn" "limits" "cpu" }} - {{.Values.HUGEPAGE_SIZE_TYPE}}: {{.Values.HUGEPAGES}} - memory: {{ index .Values "ovs-ovn" "limits" "memory" }} - nodeSelector: - kubernetes.io/os: "linux" - ovn.kubernetes.io/ovs_dp_type: "userspace" - volumes: - - name: host-config-ovs - hostPath: - path: /opt/ovs-config - type: DirectoryOrCreate - - name: shareddir - hostPath: - path: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods - type: '' - - name: hugepage - emptyDir: - medium: HugePages - - name: host-modules - hostPath: - path: /lib/modules - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-sys - hostPath: - path: /sys - - name: host-config-openvswitch - hostPath: - path: {{ .Values.OPENVSWITCH_DIR }} - - name: host-config-ovn - hostPath: - path: {{ .Values.OVN_DIR }} - - name: host-log-ovs - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/openvswitch - - name: host-log-ovn - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls -{{- end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-sa.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-sa.yaml deleted file mode 100644 index 17b4a92f..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-sa.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ovn - namespace: {{ .Values.namespace }} -{{- if .Values.global.registry.imagePullSecrets }} -imagePullSecrets: -{{- range $index, $secret := .Values.global.registry.imagePullSecrets }} -{{- if $secret }} -- name: {{ $secret | quote}} -{{- end }} -{{- end }} -{{- end }} - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ovn-ovs - namespace: {{ .Values.namespace }} - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-ovn-cni - namespace: {{ .Values.namespace }} - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-ovn-app - namespace: {{ .Values.namespace }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-tls-secret.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-tls-secret.yaml deleted file mode 100644 index dde40203..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-tls-secret.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.networking.ENABLE_SSL }} -{{- $cn := "ovn" -}} -{{- $ca := genCA "ovn-ca" 3650 -}} ---- -apiVersion: v1 -kind: Secret -metadata: - name: kube-ovn-tls - namespace: {{ .Values.namespace }} -data: -{{- $existingSecret := lookup "v1" "Secret" .Values.namespace "kube-ovn-tls" }} - {{- if $existingSecret }} - cacert: {{ index $existingSecret.data "cacert" }} - cert: {{ index $existingSecret.data "cert" }} - key: {{ index $existingSecret.data "key" }} - {{- else }} - {{- with genSignedCert $cn nil nil 3650 $ca }} - cacert: {{ b64enc $ca.Cert }} - cert: {{ b64enc .Cert }} - key: {{ b64enc .Key }} - {{- end }} - {{- end }} -{{- end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-ds.yaml deleted file mode 100644 index 1dfedf1a..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-ds.yaml +++ /dev/null @@ -1,206 +0,0 @@ -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: kube-ovn-cni - namespace: {{ .Values.namespace }} - annotations: - kubernetes.io/description: | - This daemon set launches the kube-ovn cni daemon. -spec: - selector: - matchLabels: - app: kube-ovn-cni - template: - metadata: - labels: - app: kube-ovn-cni - component: network - type: infra - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - priorityClassName: system-node-critical - serviceAccountName: kube-ovn-cni - hostNetwork: true - hostPID: true - initContainers: - - name: install-cni - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["/kube-ovn/install-cni.sh"] - securityContext: - runAsUser: 0 - privileged: true - volumeMounts: - - mountPath: /opt/cni/bin - name: cni-bin - {{- if .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }} - - mountPath: /usr/local/bin - name: local-bin - {{- end }} - containers: - - name: cni-server - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - bash - - /kube-ovn/start-cniserver.sh - args: - - --enable-mirror={{- .Values.debug.ENABLE_MIRROR }} - - --mirror-iface={{- .Values.debug.MIRROR_IFACE }} - - --node-switch={{ .Values.networking.NODE_SUBNET }} - - --encap-checksum=true - - --service-cluster-ip-range= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.SVC_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.SVC_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.SVC_CIDR }} - {{- end }} - {{- if eq .Values.networking.NETWORK_TYPE "vlan" }} - - --iface= - {{- else}} - - --iface={{- .Values.networking.IFACE }} - {{- end }} - - --dpdk-tunnel-iface={{- .Values.networking.DPDK_TUNNEL_IFACE }} - - --network-type={{- .Values.networking.TUNNEL_TYPE }} - - --default-interface-name={{- .Values.networking.vlan.VLAN_INTERFACE_NAME }} - - --cni-conf-dir={{ .Values.cni_conf.CNI_CONF_DIR }} - - --cni-conf-file={{ .Values.cni_conf.CNI_CONF_FILE }} - - --cni-conf-name={{- .Values.cni_conf.CNI_CONFIG_PRIORITY -}}-kube-ovn.conflist - - --logtostderr=false - - --alsologtostderr=true - - --log_file=/var/log/kube-ovn/kube-ovn-cni.log - - --log_file_max_size=0 - - --enable-metrics={{- .Values.networking.ENABLE_METRICS }} - - --kubelet-dir={{ .Values.kubelet_conf.KUBELET_DIR }} - - --enable-tproxy={{ .Values.func.ENABLE_TPROXY }} - - --ovs-vsctl-concurrency={{ .Values.performance.OVS_VSCTL_CONCURRENCY }} - securityContext: - runAsUser: 0 - privileged: true - env: - - name: ENABLE_SSL - value: "{{ .Values.networking.ENABLE_SSL }}" - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: POD_IPS - valueFrom: - fieldRef: - fieldPath: status.podIPs - - name: ENABLE_BIND_LOCAL_IP - value: "{{- .Values.func.ENABLE_BIND_LOCAL_IP }}" - - name: DBUS_SYSTEM_BUS_ADDRESS - value: "unix:path=/host/var/run/dbus/system_bus_socket" - volumeMounts: - - name: host-modules - mountPath: /lib/modules - readOnly: true - - name: shared-dir - mountPath: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods - - mountPath: /etc/openvswitch - name: systemid - readOnly: true - - mountPath: /etc/cni/net.d - name: cni-conf - - mountPath: /run/openvswitch - name: host-run-ovs - mountPropagation: Bidirectional - - mountPath: /run/ovn - name: host-run-ovn - - mountPath: /host/var/run/dbus - name: host-dbus - mountPropagation: HostToContainer - - mountPath: /var/run/netns - name: host-ns - mountPropagation: HostToContainer - - mountPath: /var/log/kube-ovn - name: kube-ovn-log - - mountPath: /var/log/openvswitch - name: host-log-ovs - - mountPath: /var/log/ovn - name: host-log-ovn - - mountPath: /etc/localtime - name: localtime - readOnly: true - readinessProbe: - failureThreshold: 3 - periodSeconds: 7 - successThreshold: 1 - tcpSocket: - port: 10665 - timeoutSeconds: 3 - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 7 - successThreshold: 1 - tcpSocket: - port: 10665 - timeoutSeconds: 3 - resources: - requests: - cpu: {{ index .Values "kube-ovn-cni" "requests" "cpu" }} - memory: {{ index .Values "kube-ovn-cni" "requests" "memory" }} - limits: - cpu: {{ index .Values "kube-ovn-cni" "limits" "cpu" }} - memory: {{ index .Values "kube-ovn-cni" "limits" "memory" }} - nodeSelector: - kubernetes.io/os: "linux" - volumes: - - name: host-modules - hostPath: - path: /lib/modules - - name: shared-dir - hostPath: - path: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods - - name: systemid - hostPath: - path: {{ .Values.OPENVSWITCH_DIR }} - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: cni-conf - hostPath: - path: {{ .Values.cni_conf.CNI_CONF_DIR }} - - name: cni-bin - hostPath: - path: {{ .Values.cni_conf.CNI_BIN_DIR }} - - name: host-ns - hostPath: - path: /var/run/netns - - name: host-dbus - hostPath: - path: /var/run/dbus - - name: kube-ovn-log - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: host-log-ovs - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/openvswitch - - name: host-log-ovn - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/ovn - {{- if .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }} - - name: local-bin - hostPath: - path: {{ .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }} - {{- end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-svc.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-svc.yaml deleted file mode 100644 index e1c47c80..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-svc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: kube-ovn-cni - namespace: {{ .Values.namespace }} - labels: - app: kube-ovn-cni -spec: - selector: - app: kube-ovn-cni - ports: - - port: 10665 - name: metrics - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovsovn-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovsovn-ds.yaml deleted file mode 100644 index 72a5eb40..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovsovn-ds.yaml +++ /dev/null @@ -1,221 +0,0 @@ -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: ovs-ovn - namespace: {{ .Values.namespace }} - annotations: - kubernetes.io/description: | - This daemon set launches the openvswitch daemon. - chart-version: "{{ .Chart.Name }}-{{ .Chart.Version }}" -spec: - selector: - matchLabels: - app: ovs - updateStrategy: - type: {{ include "kubeovn.ovs-ovn.updateStrategy" . }} - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: ovs - component: network - type: infra - annotations: - chart-version: "{{ .Chart.Name }}-{{ .Chart.Version }}" - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - priorityClassName: system-node-critical - serviceAccountName: ovn-ovs - hostNetwork: true - hostPID: true - containers: - - name: openvswitch - {{- if .Values.DPDK }} - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.dpdkRepository }}:{{ .Values.DPDK_VERSION }}-{{ .Values.global.images.kubeovn.tag }} - {{- else }} - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} - {{- end }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if .Values.DPDK }} - command: ["/kube-ovn/start-ovs-dpdk.sh"] - {{- else }} - command: - {{- if .Values.DISABLE_MODULES_MANAGEMENT }} - - /bin/sh - - -ec - - | - ln -sf /bin/true /usr/sbin/modprobe - ln -sf /bin/true /usr/sbin/modinfo - ln -sf /bin/true /usr/sbin/rmmod - exec /kube-ovn/start-ovs.sh - {{- else }} - - /kube-ovn/start-ovs.sh - {{- end }} - {{- end }} - securityContext: - runAsUser: 0 - privileged: true - env: - - name: ENABLE_SSL - value: "{{ .Values.networking.ENABLE_SSL }}" - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: HW_OFFLOAD - value: "{{- .Values.func.HW_OFFLOAD }}" - - name: TUNNEL_TYPE - value: "{{- .Values.networking.TUNNEL_TYPE }}" - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: OVN_DB_IPS - value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}" - - name: OVN_REMOTE_PROBE_INTERVAL - value: "{{ .Values.networking.OVN_REMOTE_PROBE_INTERVAL }}" - - name: OVN_REMOTE_OPENFLOW_INTERVAL - value: "{{ .Values.networking.OVN_REMOTE_OPENFLOW_INTERVAL }}" - volumeMounts: - - mountPath: /var/run/netns - name: host-ns - mountPropagation: HostToContainer - - mountPath: /lib/modules - name: host-modules - readOnly: true - - mountPath: /var/run/openvswitch - name: host-run-ovs - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /etc/ovn - name: host-config-ovn - - mountPath: /var/log/openvswitch - name: host-log-ovs - - mountPath: /var/log/ovn - name: host-log-ovn - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/run/tls - name: kube-ovn-tls - - mountPath: /var/run/containerd - name: cruntime - readOnly: true - {{- if .Values.DPDK }} - - mountPath: /opt/ovs-config - name: host-config-ovs - - mountPath: /dev/hugepages - name: hugepage - {{- end }} - readinessProbe: - exec: - {{- if .Values.DPDK }} - command: - - bash - - /kube-ovn/ovs-dpdk-healthcheck.sh - {{- else }} - command: - - bash - - -c - - LOG_ROTATE=true /kube-ovn/ovs-healthcheck.sh - {{- end }} - initialDelaySeconds: 10 - periodSeconds: 5 - timeoutSeconds: 45 - livenessProbe: - exec: - {{- if .Values.DPDK }} - command: - - bash - - /kube-ovn/ovs-dpdk-healthcheck.sh - {{- else }} - command: - - bash - - /kube-ovn/ovs-healthcheck.sh - {{- end }} - initialDelaySeconds: 60 - periodSeconds: 5 - failureThreshold: 5 - timeoutSeconds: 45 - resources: - requests: - {{- if .Values.DPDK }} - cpu: {{ .Values.DPDK_CPU }} - memory: {{ .Values.DPDK_MEMORY }} - {{- else }} - cpu: {{ index .Values "ovs-ovn" "requests" "cpu" }} - memory: {{ index .Values "ovs-ovn" "requests" "memory" }} - {{- end }} - limits: - {{- if .Values.DPDK }} - cpu: {{ .Values.DPDK_CPU }} - memory: {{ .Values.DPDK_MEMORY }} - hugepages-1Gi: 1Gi - {{- else }} - cpu: {{ index .Values "ovs-ovn" "limits" "cpu" }} - memory: {{ index .Values "ovs-ovn" "limits" "memory" }} - {{- end }} - nodeSelector: - kubernetes.io/os: "linux" - volumes: - - name: host-modules - hostPath: - path: /lib/modules - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-config-openvswitch - hostPath: - path: {{ .Values.OPENVSWITCH_DIR }} - - name: host-config-ovn - hostPath: - path: {{ .Values.OVN_DIR }} - - name: host-log-ovs - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/openvswitch - - name: host-log-ovn - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls - - name: host-ns - hostPath: - path: /var/run/netns - - hostPath: - path: /var/run/containerd - name: cruntime - {{- if .Values.DPDK }} - - name: host-config-ovs - hostPath: - path: /opt/ovs-config - type: DirectoryOrCreate - - name: hugepage - emptyDir: - medium: HugePages - {{- end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-ds.yaml deleted file mode 100644 index f54b276a..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-ds.yaml +++ /dev/null @@ -1,137 +0,0 @@ -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: kube-ovn-pinger - namespace: {{ .Values.namespace }} - annotations: - kubernetes.io/description: | - This daemon set launches the openvswitch daemon. -spec: - selector: - matchLabels: - app: kube-ovn-pinger - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - app: kube-ovn-pinger - component: network - type: infra - spec: - priorityClassName: system-node-critical - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - serviceAccountName: kube-ovn-app - hostPID: true - containers: - - name: pinger - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} - command: - - /kube-ovn/kube-ovn-pinger - args: - - --external-address= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.PINGER_EXTERNAL_ADDRESS }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.PINGER_EXTERNAL_ADDRESS }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.PINGER_EXTERNAL_ADDRESS }} - {{- end }} - - --external-dns= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.PINGER_EXTERNAL_DOMAIN }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.PINGER_EXTERNAL_DOMAIN }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.PINGER_EXTERNAL_DOMAIN }} - {{- end }} - - --ds-namespace={{ .Values.namespace }} - - --logtostderr=false - - --alsologtostderr=true - - --log_file=/var/log/kube-ovn/kube-ovn-pinger.log - - --log_file_max_size=0 - - --enable-metrics={{- .Values.networking.ENABLE_METRICS }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - securityContext: - runAsUser: 0 - privileged: false - env: - - name: ENABLE_SSL - value: "{{ .Values.networking.ENABLE_SSL }}" - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-run-ovs - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /var/log/openvswitch - name: host-log-ovs - readOnly: true - - mountPath: /var/log/ovn - name: host-log-ovn - readOnly: true - - mountPath: /var/log/kube-ovn - name: kube-ovn-log - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/run/tls - name: kube-ovn-tls - resources: - requests: - cpu: {{ index .Values "kube-ovn-pinger" "requests" "cpu" }} - memory: {{ index .Values "kube-ovn-pinger" "requests" "memory" }} - limits: - cpu: {{ index .Values "kube-ovn-pinger" "limits" "cpu" }} - memory: {{ index .Values "kube-ovn-pinger" "limits" "memory" }} - nodeSelector: - kubernetes.io/os: "linux" - volumes: - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-config-openvswitch - hostPath: - path: {{ .Values.OPENVSWITCH_DIR }} - - name: host-log-ovs - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/openvswitch - - name: kube-ovn-log - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn - - name: host-log-ovn - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-svc.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-svc.yaml deleted file mode 100644 index ef169e8e..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-svc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: kube-ovn-pinger - namespace: {{ .Values.namespace }} - labels: - app: kube-ovn-pinger -spec: - selector: - app: kube-ovn-pinger - ports: - - port: 8080 - name: metrics - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pre-delete-hook.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pre-delete-hook.yaml deleted file mode 100644 index d81c5ca2..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pre-delete-hook.yaml +++ /dev/null @@ -1,123 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-ovn-pre-delete-hook - namespace: {{ .Values.namespace }} - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "1" - "helm.sh/hook-delete-policy": hook-succeeded ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "2" - "helm.sh/hook-delete-policy": hook-succeeded - name: system:kube-ovn-pre-delete-hook -rules: - - apiGroups: - - kubeovn.io - resources: - - subnets - verbs: - - get - - list - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kube-ovn-pre-delete-hook - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "3" - "helm.sh/hook-delete-policy": hook-succeeded -roleRef: - name: system:kube-ovn-pre-delete-hook - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: kube-ovn-pre-delete-hook - namespace: {{ .Values.namespace }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: "{{ .Chart.Name }}-pre-delete-hook" - namespace: {{ .Values.namespace }} - labels: - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/instance: {{ .Release.Name | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "4" - "helm.sh/hook-delete-policy": hook-succeeded -spec: - completions: 1 - template: - metadata: - name: "{{ .Release.Name }}" - labels: - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/instance: {{ .Release.Name | quote }} - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - app: kube-ovn-pre-delete-hook - component: job - spec: - tolerations: - - key: "" - operator: "Exists" - effect: "NoSchedule" - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: kubernetes.io/hostname - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - kube-ovn-pre-delete-hook - - key: component - operator: In - values: - - job - restartPolicy: Never - hostNetwork: true - nodeSelector: - kubernetes.io/os: "linux" - serviceAccount: kube-ovn-pre-delete-hook - serviceAccountName: kube-ovn-pre-delete-hook - containers: - - name: remove-subnet-finalizer - image: "{{ .Values.global.registry.address}}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}" - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - command: - - sh - - -c - - /kube-ovn/remove-subnet-finalizer.sh 2>&1 | tee -a /var/log/kube-ovn/remove-subnet-finalizer.log - volumeMounts: - - mountPath: /var/log/kube-ovn - name: kube-ovn-log - volumes: - - name: kube-ovn-log - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/sb-svc.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/sb-svc.yaml deleted file mode 100644 index 36a4a27a..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/sb-svc.yaml +++ /dev/null @@ -1,19 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: ovn-sb - namespace: {{ .Values.namespace }} -spec: - ports: - - name: ovn-sb - protocol: TCP - port: 6642 - targetPort: 6642 - type: ClusterIP - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} - selector: - app: ovn-central - ovn-sb-leader: "true" - sessionAffinity: None diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/upgrade-ovs-ovn.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/upgrade-ovs-ovn.yaml deleted file mode 100644 index 94c175fa..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/upgrade-ovs-ovn.yaml +++ /dev/null @@ -1,163 +0,0 @@ -{{- if eq (include "kubeovn.ovs-ovn.updateStrategy" .) "OnDelete" }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ovs-ovn-upgrade - namespace: {{ .Values.namespace }} - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "1" - "helm.sh/hook-delete-policy": hook-succeeded ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "2" - "helm.sh/hook-delete-policy": hook-succeeded - name: system:ovs-ovn-upgrade -rules: - - apiGroups: - - apps - resources: - - daemonsets - resourceNames: - - ovs-ovn - verbs: - - get - - apiGroups: - - apps - resources: - - deployments - resourceNames: - - ovn-central - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - list - - apiGroups: - - "" - resources: - - pods - verbs: - - list - - get - - watch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ovs-ovn-upgrade - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "3" - "helm.sh/hook-delete-policy": hook-succeeded -roleRef: - name: system:ovs-ovn-upgrade - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: ovs-ovn-upgrade - namespace: {{ .Values.namespace }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: "{{ .Chart.Name }}-post-upgrade-hook" - namespace: {{ .Values.namespace }} - labels: - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/instance: {{ .Release.Name | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "4" - "helm.sh/hook-delete-policy": hook-succeeded -spec: - completions: 1 - template: - metadata: - name: "{{ .Release.Name }}" - labels: - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/instance: {{ .Release.Name | quote }} - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - app: post-upgrade - component: job - spec: - tolerations: - - key: "" - operator: "Exists" - effect: "NoSchedule" - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: kubernetes.io/hostname - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - post-upgrade - - key: component - operator: In - values: - - job - restartPolicy: Never - hostNetwork: true - nodeSelector: - kubernetes.io/os: "linux" - serviceAccount: ovs-ovn-upgrade - serviceAccountName: ovs-ovn-upgrade - containers: - - name: ovs-ovn-upgrade - image: "{{ .Values.global.registry.address}}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}" - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ENABLE_SSL - value: "{{ .Values.networking.ENABLE_SSL }}" - - name: OVN_DB_IPS - value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}" - command: - - bash - - -eo - - pipefail - - -c - - /kube-ovn/upgrade-ovs.sh 2>&1 | tee -a /var/log/kube-ovn/upgrade-ovs.log - volumeMounts: - - mountPath: /var/log/kube-ovn - name: kube-ovn-log - - mountPath: /var/run/tls - name: kube-ovn-tls - volumes: - - name: kube-ovn-log - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls -{{ end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/vpc-nat-config.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/vpc-nat-config.yaml deleted file mode 100755 index 0f9bd0f5..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/vpc-nat-config.yaml +++ /dev/null @@ -1,10 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: ovn-vpc-nat-config - namespace: {{ .Values.namespace }} - annotations: - kubernetes.io/description: | - kube-ovn vpc-nat common config -data: - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.vpcRepository }}:{{ .Values.global.images.kubeovn.tag }} \ No newline at end of file diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/values.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/values.yaml deleted file mode 100644 index e65c8a85..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/values.yaml +++ /dev/null @@ -1,181 +0,0 @@ -# Default values for kubeovn. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -global: - registry: - address: docker.io/kubeovn - imagePullSecrets: [] - images: - kubeovn: - repository: kube-ovn - dpdkRepository: kube-ovn-dpdk - vpcRepository: vpc-nat-gateway - tag: v1.13.0 - support_arm: true - thirdparty: true - -image: - pullPolicy: IfNotPresent - -namespace: kube-system -MASTER_NODES: "" -MASTER_NODES_LABEL: "kube-ovn/role=master" - -networking: - # NET_STACK could be dual_stack, ipv4, ipv6 - NET_STACK: ipv4 - ENABLE_SSL: false - # network type could be geneve or vlan - NETWORK_TYPE: geneve - # tunnel type could be geneve, vxlan or stt - TUNNEL_TYPE: geneve - IFACE: "" - DPDK_TUNNEL_IFACE: "br-phy" - EXCLUDE_IPS: "" - POD_NIC_TYPE: "veth-pair" - vlan: - PROVIDER_NAME: "provider" - VLAN_INTERFACE_NAME: "" - VLAN_NAME: "ovn-vlan" - VLAN_ID: "100" - EXCHANGE_LINK_NAME: false - ENABLE_EIP_SNAT: true - DEFAULT_SUBNET: "ovn-default" - DEFAULT_VPC: "ovn-cluster" - NODE_SUBNET: "join" - ENABLE_ECMP: false - ENABLE_METRICS: true - NODE_LOCAL_DNS_IP: "" - PROBE_INTERVAL: 180000 - OVN_NORTHD_PROBE_INTERVAL: 5000 - OVN_LEADER_PROBE_INTERVAL: 5 - OVN_REMOTE_PROBE_INTERVAL: 10000 - OVN_REMOTE_OPENFLOW_INTERVAL: 180 - OVN_NORTHD_N_THREADS: 1 - ENABLE_COMPACT: false - -func: - ENABLE_LB: true - ENABLE_NP: true - ENABLE_EIP_SNAT: true - ENABLE_EXTERNAL_VPC: true - HW_OFFLOAD: false - ENABLE_LB_SVC: false - ENABLE_KEEP_VM_IP: true - LS_DNAT_MOD_DL_DST: true - LS_CT_SKIP_DST_LPORT_IPS: true - CHECK_GATEWAY: true - LOGICAL_GATEWAY: false - ENABLE_BIND_LOCAL_IP: true - U2O_INTERCONNECTION: false - ENABLE_TPROXY: false - ENABLE_IC: false - -ipv4: - POD_CIDR: "10.16.0.0/16" - POD_GATEWAY: "10.16.0.1" - SVC_CIDR: "10.96.0.0/12" - JOIN_CIDR: "100.64.0.0/16" - PINGER_EXTERNAL_ADDRESS: "1.1.1.1" - PINGER_EXTERNAL_DOMAIN: "alauda.cn." - -ipv6: - POD_CIDR: "fd00:10:16::/112" - POD_GATEWAY: "fd00:10:16::1" - SVC_CIDR: "fd00:10:96::/112" - JOIN_CIDR: "fd00:100:64::/112" - PINGER_EXTERNAL_ADDRESS: "2606:4700:4700::1111" - PINGER_EXTERNAL_DOMAIN: "google.com." - -dual_stack: - POD_CIDR: "10.16.0.0/16,fd00:10:16::/112" - POD_GATEWAY: "10.16.0.1,fd00:10:16::1" - SVC_CIDR: "10.96.0.0/12,fd00:10:96::/112" - JOIN_CIDR: "100.64.0.0/16,fd00:100:64::/112" - PINGER_EXTERNAL_ADDRESS: "1.1.1.1,2606:4700:4700::1111" - PINGER_EXTERNAL_DOMAIN: "google.com." - -performance: - GC_INTERVAL: 360 - INSPECT_INTERVAL: 20 - OVS_VSCTL_CONCURRENCY: 100 - -debug: - ENABLE_MIRROR: false - MIRROR_IFACE: "mirror0" - -cni_conf: - CNI_CONFIG_PRIORITY: "01" - CNI_CONF_DIR: "/etc/cni/net.d" - CNI_BIN_DIR: "/opt/cni/bin" - CNI_CONF_FILE: "/kube-ovn/01-kube-ovn.conflist" - LOCAL_BIN_DIR: "/usr/local/bin" - MOUNT_LOCAL_BIN_DIR: false - -kubelet_conf: - KUBELET_DIR: "/var/lib/kubelet" - -log_conf: - LOG_DIR: "/var/log" - -OPENVSWITCH_DIR: "/etc/origin/openvswitch" -OVN_DIR: "/etc/origin/ovn" -DISABLE_MODULES_MANAGEMENT: false - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -# hybrid dpdk -HYBRID_DPDK: false -HUGEPAGE_SIZE_TYPE: hugepages-2Mi # Default -HUGEPAGES: 1Gi - -# DPDK -DPDK: false -DPDK_VERSION: "19.11" -DPDK_CPU: "1000m" # Default CPU configuration -DPDK_MEMORY: "2Gi" # Default Memory configuration - -ovn-central: - requests: - cpu: "300m" - memory: "200Mi" - limits: - cpu: "3" - memory: "4Gi" -ovs-ovn: - requests: - cpu: "200m" - memory: "200Mi" - limits: - cpu: "2" - memory: "1000Mi" -kube-ovn-controller: - requests: - cpu: "200m" - memory: "200Mi" - limits: - cpu: "1000m" - memory: "1Gi" -kube-ovn-cni: - requests: - cpu: "100m" - memory: "100Mi" - limits: - cpu: "1000m" - memory: "1Gi" -kube-ovn-pinger: - requests: - cpu: "100m" - memory: "100Mi" - limits: - cpu: "200m" - memory: "400Mi" -kube-ovn-monitor: - requests: - cpu: "200m" - memory: "200Mi" - limits: - cpu: "200m" - memory: "200Mi" diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl b/packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl index 8be2462d..9a216a38 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl +++ b/packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl @@ -29,3 +29,28 @@ Number of master nodes {{- define "kubeovn.nodeCount" -}} {{- len (split "," (.Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .))) }} {{- end -}} + +{{- define "kubeovn.ovs-ovn.updateStrategy" -}} + {{- $ds := lookup "apps/v1" "DaemonSet" $.Values.namespace "ovs-ovn" -}} + {{- if $ds -}} + {{- if eq $ds.spec.updateStrategy.type "RollingUpdate" -}} + RollingUpdate + {{- else -}} + {{- $chartVersion := index $ds.metadata.annotations "chart-version" }} + {{- $newChartVersion := printf "%s-%s" .Chart.Name .Chart.Version }} + {{- $imageVersion := (index $ds.spec.template.spec.containers 0).image | splitList ":" | last | trimPrefix "v" -}} + {{- $versionRegex := `^(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)` -}} + {{- if and (ne $newChartVersion $chartVersion) (regexMatch $versionRegex $imageVersion) -}} + {{- if regexFind $versionRegex $imageVersion | semverCompare ">= 1.12.0" -}} + RollingUpdate + {{- else -}} + OnDelete + {{- end -}} + {{- else -}} + OnDelete + {{- end -}} + {{- end -}} + {{- else -}} + RollingUpdate + {{- end -}} +{{- end -}} diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml index bf234e11..cd0d94f1 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml @@ -42,7 +42,7 @@ spec: hostNetwork: true containers: - name: ovn-central - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: - /kube-ovn/start-db.sh @@ -74,12 +74,18 @@ spec: value: "{{- .Values.func.ENABLE_BIND_LOCAL_IP }}" - name: PROBE_INTERVAL value: "{{ .Values.networking.PROBE_INTERVAL }}" + - name: OVN_NORTHD_PROBE_INTERVAL + value: "{{ .Values.networking.OVN_NORTHD_PROBE_INTERVAL}}" - name: OVN_LEADER_PROBE_INTERVAL value: "{{ .Values.networking.OVN_LEADER_PROBE_INTERVAL }}" - name: OVN_NORTHD_N_THREADS value: "{{ .Values.networking.OVN_NORTHD_N_THREADS }}" - name: ENABLE_COMPACT value: "{{ .Values.networking.ENABLE_COMPACT }}" + {{- if include "kubeovn.ovs-ovn.updateStrategy" . | eq "OnDelete" }} + - name: OVN_VERSION_COMPATIBILITY + value: "21.06" + {{- end }} resources: requests: cpu: {{ index .Values "ovn-central" "requests" "cpu" }} @@ -92,9 +98,6 @@ spec: name: host-run-ovs - mountPath: /var/run/ovn name: host-run-ovn - - mountPath: /sys - name: host-sys - readOnly: true - mountPath: /etc/openvswitch name: host-config-openvswitch - mountPath: /etc/ovn @@ -136,9 +139,6 @@ spec: - name: host-run-ovn hostPath: path: /run/ovn - - name: host-sys - hostPath: - path: /sys - name: host-config-openvswitch hostPath: path: {{ .Values.OPENVSWITCH_DIR }} diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml index 0e694945..80ecd53a 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml @@ -49,49 +49,22 @@ spec: hostNetwork: true containers: - name: kube-ovn-controller - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: + {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} - /kube-ovn/start-controller.sh - --default-ls={{ .Values.networking.DEFAULT_SUBNET }} - - --default-cidr= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.POD_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.POD_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.POD_CIDR }} - {{- end }} - - --default-gateway= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.POD_GATEWAY }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.POD_GATEWAY }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.POD_GATEWAY }} - {{- end }} + - --default-cidr={{ index $cozyConfig.data "ipv4-pod-cidr" }} + - --default-gateway={{ index $cozyConfig.data "ipv4-pod-gateway" }} - --default-gateway-check={{- .Values.func.CHECK_GATEWAY }} - --default-logical-gateway={{- .Values.func.LOGICAL_GATEWAY }} - --default-u2o-interconnection={{- .Values.func.U2O_INTERCONNECTION }} - --default-exclude-ips={{- .Values.networking.EXCLUDE_IPS }} - --cluster-router={{ .Values.networking.DEFAULT_VPC }} - --node-switch={{ .Values.networking.NODE_SUBNET }} - - --node-switch-cidr= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.JOIN_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.JOIN_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.JOIN_CIDR }} - {{- end }} - - --service-cluster-ip-range= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.SVC_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.SVC_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.SVC_CIDR }} - {{- end }} + - --node-switch-cidr={{ index $cozyConfig.data "ipv4-join-cidr" }} + - --service-cluster-ip-range={{ index $cozyConfig.data "ipv4-svc-cidr" }} - --network-type={{- .Values.networking.NETWORK_TYPE }} - --default-provider-name={{ .Values.networking.vlan.PROVIDER_NAME }} - --default-interface-name={{- .Values.networking.vlan.VLAN_INTERFACE_NAME }} @@ -99,6 +72,7 @@ spec: - --default-vlan-name={{- .Values.networking.vlan.VLAN_NAME }} - --default-vlan-id={{- .Values.networking.vlan.VLAN_ID }} - --ls-dnat-mod-dl-dst={{- .Values.func.LS_DNAT_MOD_DL_DST }} + - --ls-ct-skip-dst-lport-ips={{- .Values.func.LS_CT_SKIP_DST_LPORT_IPS }} - --pod-nic-type={{- .Values.networking.POD_NIC_TYPE }} - --enable-lb={{- .Values.func.ENABLE_LB }} - --enable-np={{- .Values.func.ENABLE_NP }} @@ -113,7 +87,6 @@ spec: - --log_file_max_size=0 - --enable-lb-svc={{- .Values.func.ENABLE_LB_SVC }} - --keep-vm-ip={{- .Values.func.ENABLE_KEEP_VM_IP }} - - --pod-default-fip-type={{- .Values.networking.POD_DEFAULT_FIP_TYPE }} - --enable-metrics={{- .Values.networking.ENABLE_METRICS }} - --node-local-dns-ip={{- .Values.networking.NODE_LOCAL_DNS_IP }} env: diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ic-controller-deploy.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/ic-controller-deploy.yaml similarity index 95% rename from packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ic-controller-deploy.yaml rename to packages/system/kubeovn/charts/kube-ovn/templates/ic-controller-deploy.yaml index 0d0f225f..64b086c4 100644 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ic-controller-deploy.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/ic-controller-deploy.yaml @@ -43,7 +43,7 @@ spec: hostNetwork: true containers: - name: ovn-ic-controller - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: ["/kube-ovn/start-ic-controller.sh"] args: diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/kube-ovn-crd.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml similarity index 98% rename from packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/kube-ovn-crd.yaml rename to packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml index a305a378..dd087552 100644 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/kube-ovn-crd.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml @@ -1268,9 +1268,15 @@ spec: - jsonPath: .status.v4Eip name: V4Eip type: string + - jsonPath: .status.v6Eip + name: V6Eip + type: string - jsonPath: .status.v4Ip name: V4Ip type: string + - jsonPath: .status.v6Ip + name: V6Ip + type: string - jsonPath: .status.ready name: Ready type: boolean @@ -1325,6 +1331,8 @@ spec: type: string v4Ip: type: string + v6Ip: + type: string --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -1353,9 +1361,15 @@ spec: - jsonPath: .status.v4Eip name: V4Eip type: string + - jsonPath: .status.v6Eip + name: V6Eip + type: string - jsonPath: .status.v4IpCidr name: V4IpCidr type: string + - jsonPath: .status.v6IpCidr + name: V6IpCidr + type: string - jsonPath: .status.ready name: Ready type: boolean @@ -1370,8 +1384,12 @@ spec: type: boolean v4Eip: type: string + v6Eip: + type: string v4IpCidr: type: string + v6IpCidr: + type: string vpc: type: string conditions: @@ -1404,6 +1422,8 @@ spec: type: string v4IpCidr: type: string + v6IpCidr: + type: string --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -1438,9 +1458,15 @@ spec: - jsonPath: .status.v4Eip name: V4Eip type: string + - jsonPath: .status.v6Eip + name: V6Eip + type: string - jsonPath: .status.v4Ip name: V4Ip type: string + - jsonPath: .status.v6Ip + name: V6Ip + type: string - jsonPath: .status.internalPort name: InternalPort type: string @@ -1512,6 +1538,8 @@ spec: type: string v4Ip: type: string + v6Ip: + type: string --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -1873,6 +1901,9 @@ spec: - name: Vpc type: string jsonPath: .spec.vpc + - name: Vlan + type: string + jsonPath: .spec.vlan - name: Protocol type: string jsonPath: .spec.protocol @@ -1913,6 +1944,12 @@ spec: openAPIV3Schema: type: object properties: + metadata: + type: object + properties: + name: + type: string + pattern: ^[^0-9] status: type: object properties: diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml index b938ebfe..af9bcfe9 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml @@ -40,7 +40,7 @@ spec: hostNetwork: true containers: - name: kube-ovn-monitor - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: ["/kube-ovn/start-ovn-monitor.sh"] args: diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CR.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CR.yaml index 2aa39184..54e69a5b 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CR.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CR.yaml @@ -54,17 +54,28 @@ rules: - "" resources: - pods - - pods/exec - namespaces - - nodes - - configmaps verbs: - - create - get - list + - patch - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list - patch - update + - watch + - apiGroups: + - "" + resources: + - pods/exec + verbs: + - create - apiGroups: - "k8s.cni.cncf.io" resources: @@ -74,40 +85,53 @@ rules: - apiGroups: - "" - networking.k8s.io - - apps resources: - networkpolicies - - daemonsets + - configmaps verbs: - get - list - watch - apiGroups: - - "" - apps resources: - - services/status + - daemonsets verbs: - - update + - get - apiGroups: - "" - - networking.k8s.io - - apps - - extensions resources: - services + - services/status + verbs: + - get + - list + - update + - create + - delete + - watch + - apiGroups: + - "" + resources: - endpoints + verbs: + - create + - update + - get + - list + - watch + - apiGroups: + - apps + resources: - statefulsets - deployments - deployments/scale verbs: + - get + - list - create - delete - update - - patch - - get - - list - - watch - apiGroups: - "" resources: @@ -148,8 +172,6 @@ rules: - patch - apiGroups: - "" - - networking.k8s.io - - apps resources: - services - endpoints @@ -176,26 +198,30 @@ rules: resources: - subnets - provider-networks - - ovn-eips - - ovn-eips/status - - ips verbs: - get - list - - patch - - update - watch - apiGroups: - "" + - "kubeovn.io" resources: - - pods + - ovn-eips + - ovn-eips/status - nodes - - configmaps + - pods verbs: - get - list - patch - watch + - apiGroups: + - "kubeovn.io" + resources: + - ips + verbs: + - get + - update - apiGroups: - "" resources: @@ -204,6 +230,14 @@ rules: - create - patch - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 @@ -222,8 +256,6 @@ rules: - get - list - apiGroups: - - "" - - networking.k8s.io - apps resources: - daemonsets diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml index 1d799899..e1cb0a4b 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml @@ -31,7 +31,7 @@ spec: hostPID: true containers: - name: openvswitch - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}-dpdk + image: {{ include "kubeovn.image" . }}-dpdk imagePullPolicy: {{ .Values.image.pullPolicy }} command: ["/kube-ovn/start-ovs-dpdk-v2.sh"] securityContext: diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml index d9a9a676..94c0ebc2 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml @@ -30,7 +30,7 @@ spec: hostPID: true initContainers: - name: install-cni - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: ["/kube-ovn/install-cni.sh"] securityContext: @@ -45,24 +45,18 @@ spec: {{- end }} containers: - name: cni-server - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: - bash - /kube-ovn/start-cniserver.sh args: + {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} - --enable-mirror={{- .Values.debug.ENABLE_MIRROR }} - --mirror-iface={{- .Values.debug.MIRROR_IFACE }} - --node-switch={{ .Values.networking.NODE_SUBNET }} - --encap-checksum=true - - --service-cluster-ip-range= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.SVC_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.SVC_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.SVC_CIDR }} - {{- end }} + - --service-cluster-ip-range={{ index $cozyConfig.data "ipv4-svc-cidr" }} {{- if eq .Values.networking.NETWORK_TYPE "vlan" }} - --iface= {{- else}} @@ -96,10 +90,6 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - - name: MODULES - value: "{{- .Values.performance.MODULES }}" - - name: RPMS - value: "{{- .Values.performance.RPMS }}" - name: POD_IPS valueFrom: fieldRef: @@ -139,8 +129,6 @@ spec: - mountPath: /etc/localtime name: localtime readOnly: true - - mountPath: /tmp - name: tmp readinessProbe: failureThreshold: 3 periodSeconds: 7 @@ -205,9 +193,6 @@ spec: - name: host-log-ovn hostPath: path: {{ .Values.log_conf.LOG_DIR }}/ovn - - name: tmp - hostPath: - path: /tmp {{- if .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }} - name: local-bin hostPath: diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml index 319d74a9..b7176d18 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml @@ -6,12 +6,13 @@ metadata: annotations: kubernetes.io/description: | This daemon set launches the openvswitch daemon. + chart-version: "{{ .Chart.Name }}-{{ .Chart.Version }}" spec: selector: matchLabels: app: ovs updateStrategy: - type: RollingUpdate + type: {{ include "kubeovn.ovs-ovn.updateStrategy" . }} rollingUpdate: maxSurge: 1 maxUnavailable: 0 @@ -21,6 +22,8 @@ spec: app: ovs component: network type: infra + annotations: + chart-version: "{{ .Chart.Name }}-{{ .Chart.Version }}" spec: tolerations: - effect: NoSchedule @@ -36,9 +39,9 @@ spec: containers: - name: openvswitch {{- if .Values.DPDK }} - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.dpdkRepository }}:{{ .Values.DPDK_VERSION }}-{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} {{- else }} - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- if .Values.DPDK }} @@ -100,9 +103,6 @@ spec: name: host-run-ovs - mountPath: /var/run/ovn name: host-run-ovn - - mountPath: /sys - name: host-sys - readOnly: true - mountPath: /etc/openvswitch name: host-config-openvswitch - mountPath: /etc/ovn @@ -185,9 +185,6 @@ spec: - name: host-run-ovn hostPath: path: /run/ovn - - name: host-sys - hostPath: - path: /sys - name: host-config-openvswitch hostPath: path: {{ .Values.OPENVSWITCH_DIR }} diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml index f54b276a..f6eb84fd 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml @@ -31,7 +31,7 @@ spec: hostPID: true containers: - name: pinger - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} command: - /kube-ovn/kube-ovn-pinger args: diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/pre-delete-hook.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/pre-delete-hook.yaml index d81c5ca2..f6dbca82 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/pre-delete-hook.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/pre-delete-hook.yaml @@ -104,7 +104,7 @@ spec: serviceAccountName: kube-ovn-pre-delete-hook containers: - name: remove-subnet-finalizer - image: "{{ .Values.global.registry.address}}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}" + image: "{{ include "kubeovn.image" . }}" env: - name: POD_NAMESPACE valueFrom: diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml index 980354e6..bfc5eede 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml @@ -1,5 +1,4 @@ -{{ if (lookup "apps/v1" "DaemonSet" .Values.namespace "ovs-ovn") }} -{{ if eq (lookup "apps/v1" "DaemonSet" .Values.namespace "ovs-ovn").spec.updateStrategy.type "OnDelete" }} +{{- if eq (include "kubeovn.ovs-ovn.updateStrategy" .) "OnDelete" }} --- apiVersion: v1 kind: ServiceAccount @@ -33,6 +32,16 @@ rules: - ovs-ovn verbs: - get + - apiGroups: + - apps + resources: + - deployments + resourceNames: + - ovn-central + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -46,6 +55,7 @@ rules: verbs: - list - get + - watch - delete --- apiVersion: rbac.authorization.k8s.io/v1 @@ -121,22 +131,33 @@ spec: serviceAccountName: ovs-ovn-upgrade containers: - name: ovs-ovn-upgrade - image: "{{ .Values.global.registry.address}}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}" + image: "{{ include "kubeovn.image" . }}" env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace + - name: ENABLE_SSL + value: "{{ .Values.networking.ENABLE_SSL }}" + - name: OVN_DB_IPS + value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}" command: - - sh + - bash + - -eo + - pipefail - -c - /kube-ovn/upgrade-ovs.sh 2>&1 | tee -a /var/log/kube-ovn/upgrade-ovs.log volumeMounts: - mountPath: /var/log/kube-ovn name: kube-ovn-log + - mountPath: /var/run/tls + name: kube-ovn-tls volumes: - name: kube-ovn-log hostPath: path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn -{{ end }} + - name: kube-ovn-tls + secret: + optional: true + secretName: kube-ovn-tls {{ end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/vpc-nat-config.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/vpc-nat-config.yaml index 0f9bd0f5..70460d2f 100755 --- a/packages/system/kubeovn/charts/kube-ovn/templates/vpc-nat-config.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/vpc-nat-config.yaml @@ -7,4 +7,4 @@ metadata: kubernetes.io/description: | kube-ovn vpc-nat common config data: - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.vpcRepository }}:{{ .Values.global.images.kubeovn.tag }} \ No newline at end of file + image: {{ include "kubeovn.image" . }} \ No newline at end of file diff --git a/packages/system/kubeovn/charts/kube-ovn/values.yaml b/packages/system/kubeovn/charts/kube-ovn/values.yaml index bfffc4d7..77be5a8b 100644 --- a/packages/system/kubeovn/charts/kube-ovn/values.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/values.yaml @@ -40,7 +40,6 @@ networking: VLAN_ID: "100" EXCHANGE_LINK_NAME: false ENABLE_EIP_SNAT: true - POD_DEFAULT_FIP_TYPE: "" DEFAULT_SUBNET: "ovn-default" DEFAULT_VPC: "ovn-cluster" NODE_SUBNET: "join" @@ -48,6 +47,7 @@ networking: ENABLE_METRICS: true NODE_LOCAL_DNS_IP: "" PROBE_INTERVAL: 180000 + OVN_NORTHD_PROBE_INTERVAL: 5000 OVN_LEADER_PROBE_INTERVAL: 5 OVN_REMOTE_PROBE_INTERVAL: 10000 OVN_REMOTE_OPENFLOW_INTERVAL: 180 @@ -63,19 +63,17 @@ func: ENABLE_LB_SVC: false ENABLE_KEEP_VM_IP: true LS_DNAT_MOD_DL_DST: true + LS_CT_SKIP_DST_LPORT_IPS: true CHECK_GATEWAY: true LOGICAL_GATEWAY: false ENABLE_BIND_LOCAL_IP: true U2O_INTERCONNECTION: false ENABLE_TPROXY: false + ENABLE_IC: false ipv4: - POD_CIDR: "10.16.0.0/16" - POD_GATEWAY: "10.16.0.1" - SVC_CIDR: "10.96.0.0/12" - JOIN_CIDR: "100.64.0.0/16" PINGER_EXTERNAL_ADDRESS: "1.1.1.1" - PINGER_EXTERNAL_DOMAIN: "alauda.cn." + PINGER_EXTERNAL_DOMAIN: "kube-ovn.io." ipv6: POD_CIDR: "fd00:10:16::/112" @@ -94,8 +92,6 @@ dual_stack: PINGER_EXTERNAL_DOMAIN: "google.com." performance: - MODULES: "kube_ovn_fastpath.ko" - RPMS: "openvswitch-kmod" GC_INTERVAL: 360 INSPECT_INTERVAL: 20 OVS_VSCTL_CONCURRENCY: 100 @@ -149,7 +145,7 @@ ovs-ovn: cpu: "200m" memory: "200Mi" limits: - cpu: "1000m" + cpu: "2" memory: "1000Mi" kube-ovn-controller: requests: diff --git a/packages/system/kubeovn/images/kubeovn.json b/packages/system/kubeovn/images/kubeovn.json new file mode 100644 index 00000000..f482cd71 --- /dev/null +++ b/packages/system/kubeovn/images/kubeovn.json @@ -0,0 +1,4 @@ +{ + "containerimage.config.digest": "sha256:f83db05cfc7228a02d1308721de535e90e355d1b147b2d36bb98e10a848c3ef6", + "containerimage.digest": "sha256:440075488baba3610d7f8be6283f89ab3862ff3a9556c51a0e99ec6d46315192" +} \ No newline at end of file diff --git a/packages/system/kubeovn/images/kubeovn.tag b/packages/system/kubeovn/images/kubeovn.tag new file mode 100644 index 00000000..13402f01 --- /dev/null +++ b/packages/system/kubeovn/images/kubeovn.tag @@ -0,0 +1 @@ +ghcr.io/aenix-io/cozystack/kubeovn:latest diff --git a/packages/system/kubeovn/images/kubeovn/Dockerfile b/packages/system/kubeovn/images/kubeovn/Dockerfile new file mode 100644 index 00000000..632a76da --- /dev/null +++ b/packages/system/kubeovn/images/kubeovn/Dockerfile @@ -0,0 +1,43 @@ +ARG VERSION=v1.13.0 +ARG BASE_TAG=$VERSION + +FROM golang:1.22-bookworm as builder + +ARG COMMIT_REF=e1310e1 + +WORKDIR /source + +RUN wget -O- https://github.com/kubeovn/kube-ovn/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1 +RUN sed -i 's|-z now|-z now -static|' Makefile +RUN make build-go + +WORKDIR /source/dist/images + +# imported from https://github.com/kubeovn/kube-ovn/blob/master/dist/images/Dockerfile +FROM kubeovn/kube-ovn-base:$BASE_TAG + +COPY --from=builder /source/dist/images/*.sh /kube-ovn/ +COPY --from=builder /source/dist/images/kubectl-ko /kube-ovn/kubectl-ko +COPY --from=builder /source/dist/images/01-kube-ovn.conflist /kube-ovn/01-kube-ovn.conflist +COPY --from=builder /source/dist/images/logrotate/* /etc/logrotate.d/ +COPY --from=builder /source/dist/images/grace_stop_ovn_controller /usr/share/ovn/scripts/grace_stop_ovn_controller + +WORKDIR /kube-ovn + +RUN /kube-ovn/iptables-wrapper-installer.sh --no-sanity-check +RUN rm -f /usr/bin/nc &&\ + rm -f /usr/bin/netcat &&\ + rm -f /usr/lib/apt/methods/mirror +RUN deluser sync + +COPY --from=builder /source/dist/images/kube-ovn /kube-ovn/kube-ovn +COPY --from=builder /source/dist/images/kube-ovn-cmd /kube-ovn/kube-ovn-cmd +COPY --from=builder /source/dist/images/kube-ovn-webhook /kube-ovn/kube-ovn-webhook +RUN ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-controller && \ + ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-daemon && \ + ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-monitor && \ + ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-pinger && \ + ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-speaker && \ + ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-controller-healthcheck && \ + ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-leader-checker && \ + ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-ic-controller diff --git a/packages/system/kubeovn/patches/cozyconfig.diff b/packages/system/kubeovn/patches/cozyconfig.diff new file mode 100644 index 00000000..c5a14190 --- /dev/null +++ b/packages/system/kubeovn/patches/cozyconfig.diff @@ -0,0 +1,97 @@ + +diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml +index d9a9a67..b2e12dd 100644 +--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml ++++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml +@@ -51,18 +51,12 @@ spec: + - bash + - /kube-ovn/start-cniserver.sh + args: ++ {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} + - --enable-mirror={{- .Values.debug.ENABLE_MIRROR }} + - --mirror-iface={{- .Values.debug.MIRROR_IFACE }} + - --node-switch={{ .Values.networking.NODE_SUBNET }} + - --encap-checksum=true +- - --service-cluster-ip-range= +- {{- if eq .Values.networking.NET_STACK "dual_stack" -}} +- {{ .Values.dual_stack.SVC_CIDR }} +- {{- else if eq .Values.networking.NET_STACK "ipv4" -}} +- {{ .Values.ipv4.SVC_CIDR }} +- {{- else if eq .Values.networking.NET_STACK "ipv6" -}} +- {{ .Values.ipv6.SVC_CIDR }} +- {{- end }} ++ - --service-cluster-ip-range={{ index $cozyConfig.data "ipv4-svc-cidr" }} + {{- if eq .Values.networking.NETWORK_TYPE "vlan" }} + - --iface= + {{- else}} +diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml +index 0e69494..756eb7c 100644 +--- a/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml ++++ b/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml +@@ -52,46 +52,19 @@ spec: + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: ++ {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} + - /kube-ovn/start-controller.sh + - --default-ls={{ .Values.networking.DEFAULT_SUBNET }} +- - --default-cidr= +- {{- if eq .Values.networking.NET_STACK "dual_stack" -}} +- {{ .Values.dual_stack.POD_CIDR }} +- {{- else if eq .Values.networking.NET_STACK "ipv4" -}} +- {{ .Values.ipv4.POD_CIDR }} +- {{- else if eq .Values.networking.NET_STACK "ipv6" -}} +- {{ .Values.ipv6.POD_CIDR }} +- {{- end }} +- - --default-gateway= +- {{- if eq .Values.networking.NET_STACK "dual_stack" -}} +- {{ .Values.dual_stack.POD_GATEWAY }} +- {{- else if eq .Values.networking.NET_STACK "ipv4" -}} +- {{ .Values.ipv4.POD_GATEWAY }} +- {{- else if eq .Values.networking.NET_STACK "ipv6" -}} +- {{ .Values.ipv6.POD_GATEWAY }} +- {{- end }} ++ - --default-cidr={{ index $cozyConfig.data "ipv4-pod-cidr" }} ++ - --default-gateway={{ index $cozyConfig.data "ipv4-pod-gateway" }} + - --default-gateway-check={{- .Values.func.CHECK_GATEWAY }} + - --default-logical-gateway={{- .Values.func.LOGICAL_GATEWAY }} + - --default-u2o-interconnection={{- .Values.func.U2O_INTERCONNECTION }} + - --default-exclude-ips={{- .Values.networking.EXCLUDE_IPS }} + - --cluster-router={{ .Values.networking.DEFAULT_VPC }} + - --node-switch={{ .Values.networking.NODE_SUBNET }} +- - --node-switch-cidr= +- {{- if eq .Values.networking.NET_STACK "dual_stack" -}} +- {{ .Values.dual_stack.JOIN_CIDR }} +- {{- else if eq .Values.networking.NET_STACK "ipv4" -}} +- {{ .Values.ipv4.JOIN_CIDR }} +- {{- else if eq .Values.networking.NET_STACK "ipv6" -}} +- {{ .Values.ipv6.JOIN_CIDR }} +- {{- end }} +- - --service-cluster-ip-range= +- {{- if eq .Values.networking.NET_STACK "dual_stack" -}} +- {{ .Values.dual_stack.SVC_CIDR }} +- {{- else if eq .Values.networking.NET_STACK "ipv4" -}} +- {{ .Values.ipv4.SVC_CIDR }} +- {{- else if eq .Values.networking.NET_STACK "ipv6" -}} +- {{ .Values.ipv6.SVC_CIDR }} +- {{- end }} ++ - --node-switch-cidr={{ index $cozyConfig.data "ipv4-join-cidr" }} ++ - --service-cluster-ip-range={{ index $cozyConfig.data "ipv4-svc-cidr" }} + - --network-type={{- .Values.networking.NETWORK_TYPE }} + - --default-provider-name={{ .Values.networking.vlan.PROVIDER_NAME }} + - --default-interface-name={{- .Values.networking.vlan.VLAN_INTERFACE_NAME }} +diff --git a/packages/system/kubeovn/charts/kube-ovn/values.yaml b/packages/system/kubeovn/charts/kube-ovn/values.yaml +index bfffc4d..b880749 100644 +--- a/packages/system/kubeovn/charts/kube-ovn/values.yaml ++++ b/packages/system/kubeovn/charts/kube-ovn/values.yaml +@@ -70,10 +70,6 @@ func: + ENABLE_TPROXY: false + + ipv4: +- POD_CIDR: "10.16.0.0/16" +- POD_GATEWAY: "10.16.0.1" +- SVC_CIDR: "10.96.0.0/12" +- JOIN_CIDR: "100.64.0.0/16" + PINGER_EXTERNAL_ADDRESS: "1.1.1.1" + PINGER_EXTERNAL_DOMAIN: "alauda.cn." + diff --git a/packages/system/kubeovn/templates/_helpers.tpl b/packages/system/kubeovn/templates/_helpers.tpl new file mode 100644 index 00000000..83e3b907 --- /dev/null +++ b/packages/system/kubeovn/templates/_helpers.tpl @@ -0,0 +1,3 @@ +{{- define "kubeovn.image" -}} +{{ .Files.Get "images/kubeovn.tag" | trim }}@{{ index (.Files.Get "images/kubeovn.json" | fromJson) "containerimage.digest" }} +{{- end -}} diff --git a/packages/system/kubeovn/values.yaml b/packages/system/kubeovn/values.yaml index 26e9203f..cc904a5e 100644 --- a/packages/system/kubeovn/values.yaml +++ b/packages/system/kubeovn/values.yaml @@ -1,12 +1,4 @@ kube-ovn: - global: - registry: - address: ghcr.io/kvaps - images: - kubeovn: - repository: test - tag: kube-ovn-static-v1.13.0-cozystack2 - namespace: cozy-kubeovn func: From 6211f9d876e6d770518dfc038f33eebef935718d Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 27 May 2024 19:40:57 +0200 Subject: [PATCH 14/25] cilium: enforce device detection and enable image building (#151) Signed-off-by: Andrei Kvapil --- Makefile | 1 + packages/system/cilium/Makefile | 20 +- packages/system/cilium/charts/cilium/images | 1 + .../templates/cilium-agent/daemonset.yaml | 20 +- packages/system/cilium/images/cilium.json | 4 + packages/system/cilium/images/cilium.tag | 1 + .../system/cilium/images/cilium/Dockerfile | 16 ++ .../cilium/enforce-device-detection.diff | 244 ++++++++++++++++++ packages/system/cilium/templates/_helpers.tpl | 3 + packages/system/cilium/values.yaml | 7 + 10 files changed, 306 insertions(+), 11 deletions(-) create mode 120000 packages/system/cilium/charts/cilium/images create mode 100644 packages/system/cilium/images/cilium.json create mode 100644 packages/system/cilium/images/cilium.tag create mode 100644 packages/system/cilium/images/cilium/Dockerfile create mode 100644 packages/system/cilium/images/cilium/enforce-device-detection.diff create mode 100644 packages/system/cilium/templates/_helpers.tpl diff --git a/Makefile b/Makefile index 0ef2d210..9ac01626 100644 --- a/Makefile +++ b/Makefile @@ -3,6 +3,7 @@ build: make -C packages/apps/http-cache image make -C packages/apps/kubernetes image + make -C packages/system/cilium image make -C packages/system/kubeovn image make -C packages/system/dashboard image make -C packages/core/installer image diff --git a/packages/system/cilium/Makefile b/packages/system/cilium/Makefile index 038b767c..23e43516 100644 --- a/packages/system/cilium/Makefile +++ b/packages/system/cilium/Makefile @@ -1,6 +1,9 @@ +CILIUM_TAG=$(shell awk '$$1 == "version:" {print $$2}' charts/cilium/Chart.yaml) + NAME=cilium NAMESPACE=cozy-$(NAME) +include ../../../scripts/common-envs.mk include ../../../scripts/package-system.mk update: @@ -8,5 +11,20 @@ update: helm repo add cilium https://helm.cilium.io/ helm repo update cilium helm pull cilium/cilium --untar --untardir charts --version 1.15 + ln -s ../../images charts/cilium/images + sed -i 's/include "cilium.image" .Values.image/include "cilium.image" ./g' charts/cilium/templates/cilium-agent/daemonset.yaml sed -i -e '/Used in iptables/d' -e '/SYS_MODULE/d' charts/cilium/values.yaml - patch -p3 --no-backup-if-mismatch < patches/fix-cgroups.patch + version=$$(awk '$$1 == "version:" {print $$2}' charts/cilium/Chart.yaml) && \ + sed -i "s/ARG VERSION=.*/ARG VERSION=v$${version}/" images/cilium/Dockerfile + +image: + docker buildx build images/cilium \ + --provenance false \ + --tag $(REGISTRY)/cilium:$(call settag,$(CILIUM_TAG)) \ + --tag $(REGISTRY)/cilium:$(call settag,$(CILIUM_TAG)-$(TAG)) \ + --cache-from type=registry,ref=$(REGISTRY)/cilium:latest \ + --cache-to type=inline \ + --metadata-file images/cilium.json \ + --push=$(PUSH) \ + --load=$(LOAD) + echo "$(REGISTRY)/cilium:$(call settag,$(TAG))" > images/cilium.tag diff --git a/packages/system/cilium/charts/cilium/images b/packages/system/cilium/charts/cilium/images new file mode 120000 index 00000000..5fa69870 --- /dev/null +++ b/packages/system/cilium/charts/cilium/images @@ -0,0 +1 @@ +../../images \ No newline at end of file diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml index 144025e0..91b3fc02 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml @@ -94,7 +94,7 @@ spec: {{- end }} containers: - name: cilium-agent - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- if .Values.sleepAfterInit }} command: @@ -398,7 +398,7 @@ spec: {{- end }} {{- if .Values.monitor.enabled }} - name: cilium-monitor - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: - /bin/bash @@ -430,7 +430,7 @@ spec: {{- end }} initContainers: - name: config - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: - cilium-dbg @@ -485,7 +485,7 @@ spec: # Required to mount cgroup2 filesystem on the underlying Kubernetes node. # We use nsenter command with host's cgroup and mount namespaces enabled. - name: mount-cgroup - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: CGROUP_ROOT @@ -531,7 +531,7 @@ spec: - ALL {{- end}} - name: apply-sysctl-overwrites - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.initResources }} resources: @@ -580,7 +580,7 @@ spec: # from a privileged container because the mount propagation bidirectional # only works from privileged containers. - name: mount-bpf-fs - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.initResources }} resources: @@ -605,7 +605,7 @@ spec: {{- end }} {{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }} - name: wait-for-node-init - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.initResources }} resources: @@ -625,7 +625,7 @@ spec: mountPath: "/tmp/cilium-bootstrap.d" {{- end }} - name: clean-cilium-state - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: - /init-container.sh @@ -697,7 +697,7 @@ spec: {{- end }} {{- if and .Values.waitForKubeProxy (and (ne (toString $kubeProxyReplacement) "strict") (ne (toString $kubeProxyReplacement) "true")) }} - name: wait-for-kube-proxy - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.initResources }} resources: @@ -735,7 +735,7 @@ spec: {{- if .Values.cni.install }} # Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent - name: install-cni-binaries - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: - "/install-plugin.sh" diff --git a/packages/system/cilium/images/cilium.json b/packages/system/cilium/images/cilium.json new file mode 100644 index 00000000..47ee9b16 --- /dev/null +++ b/packages/system/cilium/images/cilium.json @@ -0,0 +1,4 @@ +{ + "containerimage.config.digest": "sha256:5d7a65f2d5c41bd53cccaa55d4f5d28933c08f5294e732b9a00427d091c1d78f", + "containerimage.digest": "sha256:f9f46b6c57cbe9ccb2686be7e58236e3bfae0942c4be687f0bf16270832f09ab" +} \ No newline at end of file diff --git a/packages/system/cilium/images/cilium.tag b/packages/system/cilium/images/cilium.tag new file mode 100644 index 00000000..ab03ee07 --- /dev/null +++ b/packages/system/cilium/images/cilium.tag @@ -0,0 +1 @@ +ghcr.io/aenix-io/cozystack/cilium:latest diff --git a/packages/system/cilium/images/cilium/Dockerfile b/packages/system/cilium/images/cilium/Dockerfile new file mode 100644 index 00000000..470f5c26 --- /dev/null +++ b/packages/system/cilium/images/cilium/Dockerfile @@ -0,0 +1,16 @@ +# syntax=docker/dockerfile:experimental + +ARG VERSION=v1.15.5 + +FROM golang:1.22-bookworm as builder + +WORKDIR /source + +COPY enforce-device-detection.diff /enforce-device-detection.diff + +RUN wget -O- https://github.com/cilium/cilium/archive/refs/tags/v1.15.5.tar.gz | tar xzf - --strip-components=1 +RUN git apply /enforce-device-detection.diff +RUN make build-agent + +FROM quay.io/cilium/cilium:${VERSION} +COPY --from=builder /source/daemon/cilium-agent /usr/bin/cilium-agent diff --git a/packages/system/cilium/images/cilium/enforce-device-detection.diff b/packages/system/cilium/images/cilium/enforce-device-detection.diff new file mode 100644 index 00000000..408ca784 --- /dev/null +++ b/packages/system/cilium/images/cilium/enforce-device-detection.diff @@ -0,0 +1,244 @@ +diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go +index 9435b2570b..416c34ed7a 100644 +--- a/daemon/cmd/daemon_main.go ++++ b/daemon/cmd/daemon_main.go +@@ -222,6 +222,9 @@ func InitGlobalFlags(cmd *cobra.Command, vp *viper.Viper) { + flags.StringSlice(option.Devices, []string{}, "List of devices facing cluster/external network (used for BPF NodePort, BPF masquerading and host firewall); supports '+' as wildcard in device name, e.g. 'eth+'") + option.BindEnv(vp, option.Devices) + ++ flags.Bool(option.EnforceDeviceDetection, false, "Enforces the auto-detection of devices, even if specific devices are explicitly listed") ++ option.BindEnv(vp, option.EnforceDeviceDetection) ++ + flags.String(option.DirectRoutingDevice, "", "Device name used to connect nodes in direct routing mode (used by BPF NodePort, BPF host routing; if empty, automatically set to a device with k8s InternalIP/ExternalIP or with a default route)") + option.BindEnv(vp, option.DirectRoutingDevice) + +diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md +index 6a92a83040..bf728ce32e 100644 +--- a/install/kubernetes/cilium/README.md ++++ b/install/kubernetes/cilium/README.md +@@ -309,6 +309,7 @@ contributors across the globe, there is almost always someone available to help. + | endpointHealthChecking.enabled | bool | `true` | Enable connectivity health checking between virtual endpoints. | + | endpointRoutes.enabled | bool | `false` | Enable use of per endpoint routes instead of routing via the cilium_host interface. | + | endpointStatus | object | `{"enabled":false,"status":""}` | Enable endpoint status. Status can be: policy, health, controllers, log and / or state. For 2 or more options use a space. | ++| enforceDeviceDetection | bool | `false` | Enforces the auto-detection of devices, even if specific devices are explicitly listed | + | eni.awsEnablePrefixDelegation | bool | `false` | Enable ENI prefix delegation | + | eni.awsReleaseExcessIPs | bool | `false` | Release IPs not used from the ENI | + | eni.ec2APIEndpoint | string | `""` | EC2 API endpoint to use | +diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml +index 9531ca18a8..1ce677f8ce 100644 +--- a/install/kubernetes/cilium/templates/cilium-configmap.yaml ++++ b/install/kubernetes/cilium/templates/cilium-configmap.yaml +@@ -688,6 +688,10 @@ data: + enable-runtime-device-detection: "true" + {{- end }} + ++{{- if .Values.enforceDeviceDetection }} ++ enforce-device-detection: "true" ++{{- end }} ++ + kube-proxy-replacement: {{ $kubeProxyReplacement | quote }} + + {{- if ne $kubeProxyReplacement "disabled" }} +diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml +index e81d3ebffd..2196bbb814 100644 +--- a/install/kubernetes/cilium/values.yaml ++++ b/install/kubernetes/cilium/values.yaml +@@ -690,6 +690,9 @@ daemon: + # be considered. + enableRuntimeDeviceDetection: false + ++# -- Enforces the auto-detection of devices, even if specific devices are explicitly listed ++enforceDeviceDetection: false ++ + # -- Chains to ignore when installing feeder rules. + # disableIptablesFeederRules: "" + +diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl +index 679b4cac07..3ed0b8f88b 100644 +--- a/install/kubernetes/cilium/values.yaml.tmpl ++++ b/install/kubernetes/cilium/values.yaml.tmpl +@@ -687,6 +687,9 @@ daemon: + # be considered. + enableRuntimeDeviceDetection: false + ++# -- Enforces the auto-detection of devices, even if specific devices are explicitly listed ++enforceDeviceDetection: false ++ + # -- Chains to ignore when installing feeder rules. + # disableIptablesFeederRules: "" + +diff --git a/pkg/datapath/cells.go b/pkg/datapath/cells.go +index 69d6d71836..c0f4947d73 100644 +--- a/pkg/datapath/cells.go ++++ b/pkg/datapath/cells.go +@@ -114,7 +114,8 @@ var Cell = cell.Module( + // This is temporary until DevicesController takes ownership of the + // device-related configuration options. + return linuxdatapath.DevicesConfig{ +- Devices: cfg.GetDevices(), ++ Devices: cfg.GetDevices(), ++ EnforceDeviceDetection: option.Config.EnforceDeviceDetection, + } + }), + +diff --git a/pkg/datapath/linux/devices_controller.go b/pkg/datapath/linux/devices_controller.go +index fdfde8d4ec..cac3e44a32 100644 +--- a/pkg/datapath/linux/devices_controller.go ++++ b/pkg/datapath/linux/devices_controller.go +@@ -84,6 +84,9 @@ type DevicesConfig struct { + // If empty the devices are auto-detected according to rules defined + // by isSelectedDevice(). + Devices []string ++ // EnforceDeviceDetection forces the auto-detection of devices, ++ // even if user-specific devices are explicitly listed. ++ EnforceDeviceDetection bool + } + + type devicesControllerParams struct { +@@ -103,9 +106,10 @@ type devicesController struct { + params devicesControllerParams + log logrus.FieldLogger + +- initialized chan struct{} +- filter deviceFilter +- l3DevSupported bool ++ initialized chan struct{} ++ filter deviceFilter ++ enforceAutoDetection bool ++ l3DevSupported bool + + // deadLinkIndexes tracks the set of links that have been deleted. This is needed + // to avoid processing route or address updates after a link delete as they may +@@ -121,11 +125,12 @@ func newDevicesController(lc cell.Lifecycle, p devicesControllerParams) (*device + p.RouteTable, + ) + dc := &devicesController{ +- params: p, +- initialized: make(chan struct{}), +- filter: deviceFilter(p.Config.Devices), +- log: p.Log, +- deadLinkIndexes: sets.New[int](), ++ params: p, ++ initialized: make(chan struct{}), ++ filter: deviceFilter(p.Config.Devices), ++ enforceAutoDetection: p.Config.EnforceDeviceDetection, ++ log: p.Log, ++ deadLinkIndexes: sets.New[int](), + } + lc.Append(dc) + return dc, p.DeviceTable, p.RouteTable +@@ -529,12 +534,15 @@ func (dc *devicesController) isSelectedDevice(d *tables.Device, txn statedb.Writ + } + + // If user specified devices or wildcards, then skip the device if it doesn't match. +- // If the device does match, then skip further checks. ++ // If the device does match and user not requested auto detection, then skip further checks. ++ // If the device does match and user requested auto detection, then continue to further checks. + if dc.filter.nonEmpty() { + if dc.filter.match(d.Name) { + return true, "" + } +- return false, fmt.Sprintf("not matching user filter %v", dc.filter) ++ if !dc.enforceAutoDetection { ++ return false, fmt.Sprintf("not matching user filter %v", dc.filter) ++ } + } + + // Skip devices that have an excluded interface flag set. +diff --git a/pkg/datapath/linux/devices_test.go b/pkg/datapath/linux/devices_test.go +index cd9fdcc7ad..031894498f 100644 +--- a/pkg/datapath/linux/devices_test.go ++++ b/pkg/datapath/linux/devices_test.go +@@ -254,7 +254,36 @@ func (s *DevicesSuite) TestDetect(c *C) { + c.Assert(devices, checker.DeepEquals, []string{"bond0", "dummy0", "dummy1", "dummy_v6", "veth0"}) + option.Config.SetDevices([]string{}) + dm.Stop() ++ ++ // EnforceDeviceDetection enabled with specific devices ++ option.Config.SetDevices([]string{"dummy1"}) ++ option.Config.EnforceDeviceDetection = true ++ c.Assert(createDummy("dummy0", "192.168.0.1/24", false), IsNil) ++ c.Assert(createDummy("dummy1", "192.168.1.1/24", false), IsNil) ++ ++ dm, err = newDeviceManagerForTests() ++ c.Assert(err, IsNil) ++ devices, err = dm.Detect(true) ++ c.Assert(err, IsNil) ++ c.Assert(devices, checker.DeepEquals, []string{"dummy0", "dummy1"}) ++ option.Config.SetDevices([]string{}) ++ option.Config.DirectRoutingDevice = "" ++ dm.Stop() ++ ++ // EnforceDeviceDetection disabled with specific devices ++ option.Config.SetDevices([]string{"dummy1"}) ++ option.Config.EnforceDeviceDetection = false ++ ++ dm, err = newDeviceManagerForTests() ++ c.Assert(err, IsNil) ++ devices, err = dm.Detect(true) ++ c.Assert(err, IsNil) ++ c.Assert(devices, checker.DeepEquals, []string{"dummy1"}) ++ option.Config.SetDevices([]string{}) ++ option.Config.DirectRoutingDevice = "" ++ dm.Stop() + }) ++ + } + + func (s *DevicesSuite) TestExpandDevices(c *C) { +diff --git a/pkg/defaults/defaults.go b/pkg/defaults/defaults.go +index fe34caa624..f095ff9a42 100644 +--- a/pkg/defaults/defaults.go ++++ b/pkg/defaults/defaults.go +@@ -554,6 +554,10 @@ const ( + // identity in a numeric identity. Values > 255 will decrease the number of + // allocatable identities. + MaxConnectedClusters = 255 ++ ++ // EnforceDevicesDetection enforces the auto-detection of devices, ++ // even if specific devices are explicitly listed ++ EnforceDeviceDetection = false + ) + + var ( +diff --git a/pkg/option/config.go b/pkg/option/config.go +index 27c697d9e3..9ba4367b2e 100644 +--- a/pkg/option/config.go ++++ b/pkg/option/config.go +@@ -123,6 +123,9 @@ const ( + // Devices facing cluster/external network for attaching bpf_host + Devices = "devices" + ++ // Enforces the auto-detection of devices, even if specific devices are explicitly listed ++ EnforceDeviceDetection = "enforce-device-detection" ++ + // DirectRoutingDevice is the name of a device used to connect nodes in + // direct routing mode (only required by BPF NodePort) + DirectRoutingDevice = "direct-routing-device" +@@ -2447,6 +2450,10 @@ type DaemonConfig struct { + + // ServiceNoBackendResponse determines how we handle traffic to a service with no backends. + ServiceNoBackendResponse string ++ ++ // EnforceDeviceDetection forces the auto-detection of devices, ++ // even if specific devices are explicitly listed ++ EnforceDeviceDetection bool + } + + var ( +@@ -2490,6 +2497,7 @@ var ( + AllocatorListTimeout: defaults.AllocatorListTimeout, + EnableICMPRules: defaults.EnableICMPRules, + UseCiliumInternalIPForIPsec: defaults.UseCiliumInternalIPForIPsec, ++ EnforceDeviceDetection: defaults.EnforceDeviceDetection, + + K8sEnableLeasesFallbackDiscovery: defaults.K8sEnableLeasesFallbackDiscovery, + +@@ -3563,6 +3571,7 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) { + c.UseCiliumInternalIPForIPsec = vp.GetBool(UseCiliumInternalIPForIPsec) + c.BypassIPAvailabilityUponRestore = vp.GetBool(BypassIPAvailabilityUponRestore) + c.EnableK8sTerminatingEndpoint = vp.GetBool(EnableK8sTerminatingEndpoint) ++ c.EnforceDeviceDetection = vp.GetBool(EnforceDeviceDetection) + + // Disable Envoy version check if L7 proxy is disabled. + c.DisableEnvoyVersionCheck = vp.GetBool(DisableEnvoyVersionCheck) diff --git a/packages/system/cilium/templates/_helpers.tpl b/packages/system/cilium/templates/_helpers.tpl new file mode 100644 index 00000000..d5406f98 --- /dev/null +++ b/packages/system/cilium/templates/_helpers.tpl @@ -0,0 +1,3 @@ +{{- define "cilium.image" -}} +{{ .Files.Get "images/cilium.tag" | trim }}@{{ index (.Files.Get "images/cilium.json" | fromJson) "containerimage.digest" }} +{{- end -}} diff --git a/packages/system/cilium/values.yaml b/packages/system/cilium/values.yaml index 6e3a484f..63e386c4 100644 --- a/packages/system/cilium/values.yaml +++ b/packages/system/cilium/values.yaml @@ -24,4 +24,11 @@ cilium: configMap: cni-configuration routingMode: native enableIPv4Masquerade: false + enableIPv6Masquerade: false enableIdentityMark: false + enableRuntimeDeviceDetection: true + #enforceDeviceDetection: true + devices: ovn0 + extraEnv: + - name: CILIUM_ENFORCE_DEVICE_DETECTION + value: "true" From d7147c7fe19ad36d0ab30a98e081f1cd1d3ca7bf Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 27 May 2024 22:47:12 +0200 Subject: [PATCH 15/25] kube-ovn: disable cozystack image tag (#153) Signed-off-by: Andrei Kvapil --- packages/system/kubeovn/Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/system/kubeovn/Makefile b/packages/system/kubeovn/Makefile index 9f0d8b98..d4e6884e 100644 --- a/packages/system/kubeovn/Makefile +++ b/packages/system/kubeovn/Makefile @@ -17,7 +17,6 @@ update: image: docker buildx build images/kubeovn \ --provenance false \ - --tag $(REGISTRY)/kubeovn:$(call settag,$(TAG)) \ --tag $(REGISTRY)/kubeovn:$(call settag,$(KUBEOVN_TAG)) \ --tag $(REGISTRY)/kubeovn:$(call settag,$(KUBEOVN_TAG)-$(TAG)) \ --cache-from type=registry,ref=$(REGISTRY)/kubeovn:latest \ From d7cfa53cd4bca15b40e3a3691bd02f639a779894 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 29 May 2024 10:04:22 +0200 Subject: [PATCH 16/25] Prepare release v0.7.0 (#156) --- manifests/cozystack-installer.yaml | 4 ++-- packages/apps/http-cache/images/nginx-cache.json | 4 ++-- packages/core/installer/images/cozystack.json | 4 ++-- packages/core/installer/images/cozystack.tag | 2 +- packages/core/installer/images/matchbox.json | 4 ++-- packages/system/cilium/images/cilium.tag | 2 +- packages/system/dashboard/images/dashboard.tag | 2 +- packages/system/dashboard/images/kubeapps-apis.json | 4 ++-- packages/system/dashboard/images/kubeapps-apis.tag | 2 +- packages/system/kubeovn/images/kubeovn.json | 4 ++-- packages/system/kubeovn/images/kubeovn.tag | 2 +- scripts/installer.sh | 2 +- scripts/migrations/3 | 12 ++++++++++++ 13 files changed, 30 insertions(+), 18 deletions(-) create mode 100755 scripts/migrations/3 diff --git a/manifests/cozystack-installer.yaml b/manifests/cozystack-installer.yaml index 742c7723..3112f1c6 100644 --- a/manifests/cozystack-installer.yaml +++ b/manifests/cozystack-installer.yaml @@ -68,7 +68,7 @@ spec: serviceAccountName: cozystack containers: - name: cozystack - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.6.0" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.7.0" env: - name: KUBERNETES_SERVICE_HOST value: localhost @@ -87,7 +87,7 @@ spec: fieldRef: fieldPath: metadata.name - name: darkhttpd - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.6.0" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.7.0" command: - /usr/bin/darkhttpd - /cozystack/assets diff --git a/packages/apps/http-cache/images/nginx-cache.json b/packages/apps/http-cache/images/nginx-cache.json index e0e737b3..395c34ca 100644 --- a/packages/apps/http-cache/images/nginx-cache.json +++ b/packages/apps/http-cache/images/nginx-cache.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:aa7a9874c35d7fac8668a623744acbf376b48aed2ef1dc4b3a19054fdcff99cf", - "containerimage.digest": "sha256:d825427d433dda95db40264c6559b44c7bbb726e69279e90fe73fe8fc9265abb" + "containerimage.config.digest": "sha256:31dedc466b9f92131f3e0f35b47d1f3771b6895d5b9a6cc089786b76b00c3a25", + "containerimage.digest": "sha256:86c7a8f2a11cbede492c778ffd67c759f722ab6958cab4a9df66af4035b1d7d9" } \ No newline at end of file diff --git a/packages/core/installer/images/cozystack.json b/packages/core/installer/images/cozystack.json index 68f3bc54..585f11e3 100644 --- a/packages/core/installer/images/cozystack.json +++ b/packages/core/installer/images/cozystack.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:8726af130b534d259ae28a92d84fb866df045765739a59146974d85554e5f188", - "containerimage.digest": "sha256:bc9109b0ed072ecbb143ea74edb9bf8a801b4903e0b849aeaa79488c4a9fb7f2" + "containerimage.config.digest": "sha256:6d54a5b971e80fbaace664054d4e67f24fd1fbb7807ebaffd036d4ea7195df10", + "containerimage.digest": "sha256:a6b167235d8556ff7e45f4582c2491a2ad48292a46005dcf767908e2fb78e74e" } \ No newline at end of file diff --git a/packages/core/installer/images/cozystack.tag b/packages/core/installer/images/cozystack.tag index 27f181d5..e8430b50 100644 --- a/packages/core/installer/images/cozystack.tag +++ b/packages/core/installer/images/cozystack.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/cozystack:v0.6.0 +ghcr.io/aenix-io/cozystack/cozystack:v0.7.0 diff --git a/packages/core/installer/images/matchbox.json b/packages/core/installer/images/matchbox.json index 2ff00e73..d5bf9ebe 100644 --- a/packages/core/installer/images/matchbox.json +++ b/packages/core/installer/images/matchbox.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:05f6f9ed2e662dde64ace18dbbd69001b39778841bda812d7b6b86e064270e64", - "containerimage.digest": "sha256:56ef77367394c4b073c862974726d882036c9b95d27a56a774987fe3244c35f6" + "containerimage.config.digest": "sha256:ed483d1187cdfeb92df319a30dde57141ceb1d4bafcc28ba006a1e60abc445ff", + "containerimage.digest": "sha256:000a46c2bffc3cf13909dc0ca570cdcea9692d85b1ef2a875afe08ea8136d2c2" } \ No newline at end of file diff --git a/packages/system/cilium/images/cilium.tag b/packages/system/cilium/images/cilium.tag index ab03ee07..164d288a 100644 --- a/packages/system/cilium/images/cilium.tag +++ b/packages/system/cilium/images/cilium.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/cilium:latest +ghcr.io/aenix-io/cozystack/cilium:v0.7.0 diff --git a/packages/system/dashboard/images/dashboard.tag b/packages/system/dashboard/images/dashboard.tag index 7f20ff19..b2afa3cc 100644 --- a/packages/system/dashboard/images/dashboard.tag +++ b/packages/system/dashboard/images/dashboard.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/dashboard:v0.6.0 +ghcr.io/aenix-io/cozystack/dashboard:v0.7.0 diff --git a/packages/system/dashboard/images/kubeapps-apis.json b/packages/system/dashboard/images/kubeapps-apis.json index f54437aa..8a5f4ced 100644 --- a/packages/system/dashboard/images/kubeapps-apis.json +++ b/packages/system/dashboard/images/kubeapps-apis.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:79ac02f0fe54d2007b222efe05596a1bf35b8557e406d018f825a2334bd73249", - "containerimage.digest": "sha256:1c1dbee8e5c4be14e5df36a69be75a6a2907445564379e23b7f8fbea1afc7093" + "containerimage.config.digest": "sha256:44db4f7c92adb68c79eb3e152c95318e559e5c1ac0ba6e3d467596b1315f37a1", + "containerimage.digest": "sha256:b0c355cf5387b376e676a9e395fa0a11790409123a29e637a7080a413fe7f10d" } \ No newline at end of file diff --git a/packages/system/dashboard/images/kubeapps-apis.tag b/packages/system/dashboard/images/kubeapps-apis.tag index 6cd70ddb..e6a5a538 100644 --- a/packages/system/dashboard/images/kubeapps-apis.tag +++ b/packages/system/dashboard/images/kubeapps-apis.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.6.0 +ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.7.0 diff --git a/packages/system/kubeovn/images/kubeovn.json b/packages/system/kubeovn/images/kubeovn.json index f482cd71..b6bf0857 100644 --- a/packages/system/kubeovn/images/kubeovn.json +++ b/packages/system/kubeovn/images/kubeovn.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:f83db05cfc7228a02d1308721de535e90e355d1b147b2d36bb98e10a848c3ef6", - "containerimage.digest": "sha256:440075488baba3610d7f8be6283f89ab3862ff3a9556c51a0e99ec6d46315192" + "containerimage.config.digest": "sha256:b3d76d1764c8c470a32b4d3b19e48592eda547710e8e6508666930e1db1b4cb3", + "containerimage.digest": "sha256:e5275d3a367aba3b4a7ec0bf25583cc21241e320da2ffd86f5c9cf4a7f6fac77" } \ No newline at end of file diff --git a/packages/system/kubeovn/images/kubeovn.tag b/packages/system/kubeovn/images/kubeovn.tag index 13402f01..2236b16e 100644 --- a/packages/system/kubeovn/images/kubeovn.tag +++ b/packages/system/kubeovn/images/kubeovn.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/kubeovn:latest +ghcr.io/aenix-io/cozystack/kubeovn:v0.7.0 diff --git a/scripts/installer.sh b/scripts/installer.sh index 5fd5b0be..078ef6cd 100755 --- a/scripts/installer.sh +++ b/scripts/installer.sh @@ -3,7 +3,7 @@ set -o pipefail set -e BUNDLE=$(set -x; kubectl get configmap -n cozy-system cozystack -o 'go-template={{index .data "bundle-name"}}') -VERSION=3 +VERSION=4 run_migrations() { if ! kubectl get configmap -n cozy-system cozystack-version; then diff --git a/scripts/migrations/3 b/scripts/migrations/3 new file mode 100755 index 00000000..008d6604 --- /dev/null +++ b/scripts/migrations/3 @@ -0,0 +1,12 @@ +#!/bin/sh +# Migration 3 --> 4 + +# Fix kubeovn crds +kubeovn_crds=$(kubectl get crd -o name | grep '\.kubeovn\.io$') +if [ -n "$kubeovn_crds" ]; then + kubectl annotate $kubeovn_crds meta.helm.sh/release-namespace=cozy-kubeovn meta.helm.sh/release-name=kubeovn + kubectl label $kubeovn_crds app.kubernetes.io/managed-by=Helm +fi + +# Write version to cozystack-version config +kubectl create configmap -n cozy-system cozystack-version --from-literal=version=4 --dry-run=client -o yaml | kubectl apply -f- From 8019256dfcca5425b5a00c737b65db57e483f40f Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 29 May 2024 17:57:03 +0200 Subject: [PATCH 17/25] Fix: clickhouse user login (#160) --- packages/apps/clickhouse/Chart.yaml | 2 +- packages/apps/clickhouse/templates/clickhouse.yaml | 1 + packages/apps/versions_map | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/packages/apps/clickhouse/Chart.yaml b/packages/apps/clickhouse/Chart.yaml index 1b9862a0..d5ad8600 100644 --- a/packages/apps/clickhouse/Chart.yaml +++ b/packages/apps/clickhouse/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.2.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/packages/apps/clickhouse/templates/clickhouse.yaml b/packages/apps/clickhouse/templates/clickhouse.yaml index da754055..6c61ec14 100644 --- a/packages/apps/clickhouse/templates/clickhouse.yaml +++ b/packages/apps/clickhouse/templates/clickhouse.yaml @@ -14,6 +14,7 @@ spec: {{- range $name, $u := . }} {{ $name }}/password_sha256_hex: {{ sha256sum $u.password }} {{ $name }}/profile: {{ ternary "readonly" "default" (index $u "readonly" | default false) }} + {{ $name }}/networks/ip: ["::/0"] {{- end }} {{- end }} profiles: diff --git a/packages/apps/versions_map b/packages/apps/versions_map index bd195c9a..712c3014 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -1,5 +1,6 @@ clickhouse 0.1.0 ca79f72 -clickhouse 0.2.0 HEAD +clickhouse 0.2.0 7cd7de73 +clickhouse 0.2.1 HEAD http-cache 0.1.0 a956713 http-cache 0.2.0 HEAD kafka 0.1.0 760f86d2 From b30a9a6fcfb27b241c73bb0e9284ef62cdcd16a9 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 30 May 2024 22:54:39 +0200 Subject: [PATCH 18/25] fix: dependsOn kubeovn and cilium in -hosted bundles (#161) --- packages/core/platform/bundles/distro-hosted.yaml | 4 ++-- packages/core/platform/bundles/paas-hosted.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/core/platform/bundles/distro-hosted.yaml b/packages/core/platform/bundles/distro-hosted.yaml index f14b65b0..41d027fe 100644 --- a/packages/core/platform/bundles/distro-hosted.yaml +++ b/packages/core/platform/bundles/distro-hosted.yaml @@ -54,13 +54,13 @@ releases: releaseName: kafka-operator chart: cozy-kafka-operator namespace: cozy-kafka-operator - dependsOn: [cilium,kubeovn] + dependsOn: [] - name: clickhouse-operator releaseName: clickhouse-operator chart: cozy-clickhouse-operator namespace: cozy-clickhouse-operator - dependsOn: [cilium,kubeovn] + dependsOn: [] - name: rabbitmq-operator releaseName: rabbitmq-operator diff --git a/packages/core/platform/bundles/paas-hosted.yaml b/packages/core/platform/bundles/paas-hosted.yaml index bc9f86a1..a9c33818 100644 --- a/packages/core/platform/bundles/paas-hosted.yaml +++ b/packages/core/platform/bundles/paas-hosted.yaml @@ -54,13 +54,13 @@ releases: releaseName: kafka-operator chart: cozy-kafka-operator namespace: cozy-kafka-operator - dependsOn: [cilium,kubeovn] + dependsOn: [] - name: clickhouse-operator releaseName: clickhouse-operator chart: cozy-clickhouse-operator namespace: cozy-clickhouse-operator - dependsOn: [cilium,kubeovn] + dependsOn: [] - name: rabbitmq-operator releaseName: rabbitmq-operator From eedc4ebce158be35953516838435e72de8f6f506 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 12 Jun 2024 19:19:14 +0200 Subject: [PATCH 19/25] Add e2e tests Signed-off-by: Andrei Kvapil --- hack/e2e.sh | 305 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 305 insertions(+) create mode 100755 hack/e2e.sh diff --git a/hack/e2e.sh b/hack/e2e.sh new file mode 100755 index 00000000..90c8314d --- /dev/null +++ b/hack/e2e.sh @@ -0,0 +1,305 @@ +#!/bin/bash +if [ "$COZYSTACK_INSTALLER_YAML" = "" ]; then + echo 'COZYSTACK_INSTALLER_YAML variable is not set!' >&2 + echo 'please set it with following command:' >&2 + echo >&2 + echo 'export COZYSTACK_INSTALLER_YAML=$(helm template -n cozy-system installer packages/core/installer)' >&2 + echo >&2 + exit 1 +fi + +set -x +set -e + +kill `cat srv1/qemu.pid srv2/qemu.pid srv3/qemu.pid` || true + +ip link del cozy-br0 || true +ip link add cozy-br0 type bridge +ip link set cozy-br0 up +ip addr add 192.168.123.1/24 dev cozy-br0 + +rm -rf srv1 srv2 srv3 +mkdir -p srv1 srv2 srv3 + +# Prepare cloud-init +for i in 1 2 3; do + echo "local-hostname: srv$i" > "srv$i/meta-data" + echo '#cloud-config' > "srv$i/user-data" + cat > "srv$i/network-config" < patch.yaml <<\EOT +machine: + kubelet: + nodeIP: + validSubnets: + - 192.168.123.0/24 + extraConfig: + maxPods: 512 + kernel: + modules: + - name: openvswitch + - name: drbd + parameters: + - usermode_helper=disabled + - name: zfs + - name: spl + install: + image: ghcr.io/aenix-io/cozystack/talos:v1.7.1 + files: + - content: | + [plugins] + [plugins."io.containerd.grpc.v1.cri"] + device_ownership_from_security_context = true + path: /etc/cri/conf.d/20-customization.part + op: create + +cluster: + network: + cni: + name: none + dnsDomain: cozy.local + podSubnets: + - 10.244.0.0/16 + serviceSubnets: + - 10.96.0.0/16 +EOT + +cat > patch-controlplane.yaml <<\EOT +machine: + network: + interfaces: + - interface: eth0 + vip: + ip: 192.168.123.10 +cluster: + allowSchedulingOnControlPlanes: true + controllerManager: + extraArgs: + bind-address: 0.0.0.0 + scheduler: + extraArgs: + bind-address: 0.0.0.0 + apiServer: + certSANs: + - 127.0.0.1 + proxy: + disabled: true + discovery: + enabled: false + etcd: + advertisedSubnets: + - 192.168.123.0/24 +EOT + +# Gen configuration +if [ ! -f secrets.yaml ]; then + talosctl gen secrets +fi + +rm -f controlplane.yaml worker.yaml talosconfig kubeconfig +talosctl gen config --with-secrets secrets.yaml cozystack https://192.168.123.10:6443 --config-patch=@patch.yaml --config-patch-control-plane @patch-controlplane.yaml +export TALOSCONFIG=$PWD/talosconfig + +# Apply configuration +talosctl apply -f controlplane.yaml -n 192.168.123.11 -e 192.168.123.11 -i +talosctl apply -f controlplane.yaml -n 192.168.123.12 -e 192.168.123.12 -i +talosctl apply -f controlplane.yaml -n 192.168.123.13 -e 192.168.123.13 -i + +# Wait for VM to be configured +timeout 60 sh -c 'until nc -nzv 192.168.123.11 50000 && nc -nzv 192.168.123.12 50000 && nc -nzv 192.168.123.13 50000; do sleep 1; done' + +# Bootstrap +talosctl bootstrap -n 192.168.123.11 -e 192.168.123.11 + +# Wait for etcd +timeout 120 sh -c 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep "rpc error"; do sleep 1; done' + +rm -f kubeconfig +talosctl kubeconfig kubeconfig -e 192.168.123.10 -n 192.168.123.10 +export KUBECONFIG=$PWD/kubeconfig + +# Wait for kubernetes nodes appear +timeout 60 sh -c 'until [ $(kubectl get node -o name | wc -l) = 3 ]; do sleep 1; done' +kubectl create ns cozy-system +kubectl create -f - <<\EOT +apiVersion: v1 +kind: ConfigMap +metadata: + name: cozystack + namespace: cozy-system +data: + bundle-name: "paas-full" + ipv4-pod-cidr: "10.244.0.0/16" + ipv4-pod-gateway: "10.244.0.1" + ipv4-svc-cidr: "10.96.0.0/16" + ipv4-join-cidr: "100.64.0.0/16" +EOT + +# +echo "$COZYSTACK_INSTALLER_YAML" | kubectl apply -f - + +# wait for cozystack pod to start +kubectl wait deploy --timeout=1m --for=condition=available -n cozy-system cozystack + +# wait for helmreleases appear +timeout 60 sh -c 'until kubectl get hr -A | grep cozy; do sleep 1; done' + +sleep 5 + +kubectl get hr -A | awk 'NR>1 {print "kubectl wait --timeout=15m --for=condition=ready -n " $1 " hr/" $2 " &"} END{print "wait"}' | sh -x +# Wait for linstor controller +kubectl wait deploy --timeout=5m --for=condition=available -n cozy-linstor linstor-controller + +# Wait for all linstor nodes become Online +timeout 60 sh -c 'until [ $(kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor node list | grep -c Online) = 3 ]; do sleep 1; done' + +kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs srv1 /dev/vdc --pool-name data --storage-pool data +kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs srv2 /dev/vdc --pool-name data --storage-pool data +kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs srv3 /dev/vdc --pool-name data --storage-pool data + +kubectl create -f- < Date: Fri, 14 Jun 2024 15:28:10 +0200 Subject: [PATCH 20/25] Allow specify externalIPs for nginx-ingress (#164) --- packages/extra/ingress/Chart.yaml | 2 +- packages/extra/ingress/README.md | 7 +++--- packages/extra/ingress/config.json | 23 +++++++++++++++++++ .../ingress/templates/nginx-ingress.yaml | 10 ++++++++ packages/extra/ingress/values.schema.json | 8 +++++++ packages/extra/ingress/values.yaml | 11 +++++++++ packages/extra/versions_map | 3 ++- 7 files changed, 59 insertions(+), 5 deletions(-) create mode 100644 packages/extra/ingress/config.json diff --git a/packages/extra/ingress/Chart.yaml b/packages/extra/ingress/Chart.yaml index d6011181..e9d3511f 100644 --- a/packages/extra/ingress/Chart.yaml +++ b/packages/extra/ingress/Chart.yaml @@ -3,4 +3,4 @@ name: ingress description: NGINX Ingress Controller icon: https://docs.nginx.com/nginx-ingress-controller/images/icons/NGINX-Ingress-Controller-product-icon.svg type: application -version: 1.0.0 +version: 1.1.0 diff --git a/packages/extra/ingress/README.md b/packages/extra/ingress/README.md index ceac2640..6167256a 100644 --- a/packages/extra/ingress/README.md +++ b/packages/extra/ingress/README.md @@ -4,6 +4,7 @@ ### Common parameters -| Name | Description | Value | -| ---------- | -------------------------------- | ----- | -| `replicas` | Number of ingress-nginx replicas | `2` | +| Name | Description | Value | +| ------------- | -------------------------------- | ----- | +| `replicas` | Number of ingress-nginx replicas | `2` | +| `externalIPs` | List of externalIPs for service. | `[]` | diff --git a/packages/extra/ingress/config.json b/packages/extra/ingress/config.json new file mode 100644 index 00000000..b2f956f3 --- /dev/null +++ b/packages/extra/ingress/config.json @@ -0,0 +1,23 @@ +{ + "comments": { + "format": "##" + }, + "tags": { + "param": "@param", + "section": "@section", + "descriptionStart": "@descriptionStart", + "descriptionEnd": "@descriptionEnd", + "skip": "@skip", + "extra": "@extra" + }, + "modifiers": { + "array": "array", + "object": "object", + "string": "string", + "nullable": "nullable", + "default": "default" + }, + "regexp": { + "paramsSectionTitle": "Parameters" + } +} diff --git a/packages/extra/ingress/templates/nginx-ingress.yaml b/packages/extra/ingress/templates/nginx-ingress.yaml index 68a5c18c..816327f0 100644 --- a/packages/extra/ingress/templates/nginx-ingress.yaml +++ b/packages/extra/ingress/templates/nginx-ingress.yaml @@ -27,3 +27,13 @@ spec: admissionWebhooks: enabled: false {{- end }} + service: + {{- if .Values.externalIPs }} + externalIPs: + {{- toYaml .Values.externalIPs | nindent 12 }} + type: ClusterIP + externalTrafficPolicy: Cluster + {{- else }} + type: LoadBalancer + externalTrafficPolicy: Local + {{- end }} diff --git a/packages/extra/ingress/values.schema.json b/packages/extra/ingress/values.schema.json index 05987fd2..48b05272 100644 --- a/packages/extra/ingress/values.schema.json +++ b/packages/extra/ingress/values.schema.json @@ -6,6 +6,14 @@ "type": "number", "description": "Number of ingress-nginx replicas", "default": 2 + }, + "externalIPs": { + "type": "array", + "description": "List of externalIPs for service.", + "default": "[]", + "items": { + "type": "string" + } } } } \ No newline at end of file diff --git a/packages/extra/ingress/values.yaml b/packages/extra/ingress/values.yaml index bf98d04c..85b78e6f 100644 --- a/packages/extra/ingress/values.yaml +++ b/packages/extra/ingress/values.yaml @@ -3,3 +3,14 @@ ## @param replicas Number of ingress-nginx replicas ## replicas: 2 + +## @param externalIPs [array] List of externalIPs for service. +## Optional. If not specified will use LoadBalancer service by default. +## +## e.g: +## externalIPs: +## - "11.22.33.44" +## - "11.22.33.45" +## - "11.22.33.46" +## +externalIPs: [] diff --git a/packages/extra/versions_map b/packages/extra/versions_map index 6bc2b2f9..7b373bf8 100644 --- a/packages/extra/versions_map +++ b/packages/extra/versions_map @@ -2,5 +2,6 @@ etcd 1.0.0 f7eaab0 etcd 2.0.0 a6d0f7cf etcd 2.0.1 6fc1cc7d etcd 2.1.0 HEAD -ingress 1.0.0 HEAD +ingress 1.0.0 f642698 +ingress 1.1.0 HEAD monitoring 1.0.0 HEAD From 3a0bad04b9fdc6827ba3b73105a33a2d7f1e75bc Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 17 Jun 2024 17:37:24 +0200 Subject: [PATCH 21/25] add check for forwarding and masquerading Signed-off-by: Andrei Kvapil --- hack/e2e.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/hack/e2e.sh b/hack/e2e.sh index 90c8314d..db86d04f 100755 --- a/hack/e2e.sh +++ b/hack/e2e.sh @@ -8,6 +8,15 @@ if [ "$COZYSTACK_INSTALLER_YAML" = "" ]; then exit 1 fi +if [ "$(cat /proc/sys/net/ipv4/ip_forward)" != 1 ]; then + echo "IPv4 forwarding is not enabled!" >&2 + echo 'please enable forwarding with the following command:' >&2 + echo >&2 + echo 'echo 1 > /proc/sys/net/ipv4/ip_forward' >&2 + echo >&2 + exit 1 +fi + set -x set -e @@ -18,6 +27,10 @@ ip link add cozy-br0 type bridge ip link set cozy-br0 up ip addr add 192.168.123.1/24 dev cozy-br0 +# Enable masquerading +iptables -t nat -D POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE || true +iptables -t nat -A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE + rm -rf srv1 srv2 srv3 mkdir -p srv1 srv2 srv3 From bcd1ee1b4f7e5c0a21bdbc4392a74387bba5852c Mon Sep 17 00:00:00 2001 From: Marian Koreniuk Date: Mon, 17 Jun 2024 19:13:54 +0200 Subject: [PATCH 22/25] Add masquerade --- hack/e2e.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hack/e2e.sh b/hack/e2e.sh index db86d04f..86278beb 100755 --- a/hack/e2e.sh +++ b/hack/e2e.sh @@ -27,9 +27,9 @@ ip link add cozy-br0 type bridge ip link set cozy-br0 up ip addr add 192.168.123.1/24 dev cozy-br0 -# Enable masquerading -iptables -t nat -D POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE || true -iptables -t nat -A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE +# Enable forward & masquerading +echo 1 > /proc/sys/net/ipv4/ip_forward +iptables -t nat -A POSTROUTING -s 192.168.123.0/24 -j MASQUERADE rm -rf srv1 srv2 srv3 mkdir -p srv1 srv2 srv3 From 02a41e126bd1927fda7e395fcb6d81e5fcd12939 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 19 Jun 2024 16:55:16 +0200 Subject: [PATCH 23/25] fix kubeovn and cilium tags (#174) * fix: kube-ovn tag * fix: cilium tag --- packages/system/cilium/Makefile | 2 +- packages/system/cilium/images/cilium.tag | 2 +- packages/system/kubeovn/Makefile | 2 +- packages/system/kubeovn/images/kubeovn.tag | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/system/cilium/Makefile b/packages/system/cilium/Makefile index 23e43516..a5caba3b 100644 --- a/packages/system/cilium/Makefile +++ b/packages/system/cilium/Makefile @@ -27,4 +27,4 @@ image: --metadata-file images/cilium.json \ --push=$(PUSH) \ --load=$(LOAD) - echo "$(REGISTRY)/cilium:$(call settag,$(TAG))" > images/cilium.tag + echo "$(REGISTRY)/cilium:$(call settag,$(CILIUM_TAG))" > images/cilium.tag diff --git a/packages/system/cilium/images/cilium.tag b/packages/system/cilium/images/cilium.tag index 164d288a..ab03ee07 100644 --- a/packages/system/cilium/images/cilium.tag +++ b/packages/system/cilium/images/cilium.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/cilium:v0.7.0 +ghcr.io/aenix-io/cozystack/cilium:latest diff --git a/packages/system/kubeovn/Makefile b/packages/system/kubeovn/Makefile index d4e6884e..783005ba 100644 --- a/packages/system/kubeovn/Makefile +++ b/packages/system/kubeovn/Makefile @@ -24,4 +24,4 @@ image: --metadata-file images/kubeovn.json \ --push=$(PUSH) \ --load=$(LOAD) - echo "$(REGISTRY)/kubeovn:$(call settag,$(TAG))" > images/kubeovn.tag + echo "$(REGISTRY)/kubeovn:$(call settag,$(KUBEOVN_TAG))" > images/kubeovn.tag diff --git a/packages/system/kubeovn/images/kubeovn.tag b/packages/system/kubeovn/images/kubeovn.tag index 2236b16e..f5b70b27 100644 --- a/packages/system/kubeovn/images/kubeovn.tag +++ b/packages/system/kubeovn/images/kubeovn.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/kubeovn:v0.7.0 +ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0 From f12e2c300a8b824726f790d2150dd943b2b44a50 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 20 Jun 2024 13:43:04 +0200 Subject: [PATCH 24/25] add initial arm support Signed-off-by: Andrei Kvapil --- packages/core/installer/Makefile | 1 + packages/core/installer/images/cozystack.json | 10 ++++++++-- packages/core/installer/images/cozystack.tag | 2 +- packages/core/installer/images/cozystack/Dockerfile | 5 ++++- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/packages/core/installer/Makefile b/packages/core/installer/Makefile index 7cea7ed7..090cb4b0 100644 --- a/packages/core/installer/Makefile +++ b/packages/core/installer/Makefile @@ -25,6 +25,7 @@ image-cozystack: --provenance false \ --tag $(REGISTRY)/cozystack:$(call settag,$(TAG)) \ --cache-from type=registry,ref=$(REGISTRY)/cozystack:latest \ + --platform linux/amd64,linux/arm64 \ --cache-to type=inline \ --metadata-file images/cozystack.json \ --push=$(PUSH) \ diff --git a/packages/core/installer/images/cozystack.json b/packages/core/installer/images/cozystack.json index 585f11e3..63a732c3 100644 --- a/packages/core/installer/images/cozystack.json +++ b/packages/core/installer/images/cozystack.json @@ -1,4 +1,10 @@ { - "containerimage.config.digest": "sha256:6d54a5b971e80fbaace664054d4e67f24fd1fbb7807ebaffd036d4ea7195df10", - "containerimage.digest": "sha256:a6b167235d8556ff7e45f4582c2491a2ad48292a46005dcf767908e2fb78e74e" + "buildx.build.ref": "youthful_hertz/youthful_hertz0/aafwjh8j28i98f59smgh3qe86", + "containerimage.descriptor": { + "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", + "digest": "sha256:e0c0defb9f5b10f5187d4002ccec7d01841e96c7350963f253003c0efeff6cef", + "size": 685 + }, + "containerimage.digest": "sha256:e0c0defb9f5b10f5187d4002ccec7d01841e96c7350963f253003c0efeff6cef", + "image.name": "ghcr.io/aenix-io/cozystack/cozystack:latest" } \ No newline at end of file diff --git a/packages/core/installer/images/cozystack.tag b/packages/core/installer/images/cozystack.tag index e8430b50..602d7b26 100644 --- a/packages/core/installer/images/cozystack.tag +++ b/packages/core/installer/images/cozystack.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/cozystack:v0.7.0 +ghcr.io/aenix-io/cozystack/cozystack:latest diff --git a/packages/core/installer/images/cozystack/Dockerfile b/packages/core/installer/images/cozystack/Dockerfile index 6618cd00..7c9652b3 100644 --- a/packages/core/installer/images/cozystack/Dockerfile +++ b/packages/core/installer/images/cozystack/Dockerfile @@ -3,12 +3,15 @@ FROM golang:alpine3.19 as k8s-await-election-builder ARG K8S_AWAIT_ELECTION_GITREPO=https://github.com/LINBIT/k8s-await-election ARG K8S_AWAIT_ELECTION_VERSION=0.4.1 +# TARGETARCH is a docker special variable: https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope +ARG TARGETARCH + RUN apk add --no-cache git make RUN git clone ${K8S_AWAIT_ELECTION_GITREPO} /usr/local/go/k8s-await-election/ \ && cd /usr/local/go/k8s-await-election \ && git reset --hard v${K8S_AWAIT_ELECTION_VERSION} \ && make \ - && mv ./out/k8s-await-election-amd64 /k8s-await-election + && mv ./out/k8s-await-election-${TARGETARCH} /k8s-await-election FROM alpine:3.19 AS builder From 995dea6f5cbec81990eb302574b23af6bdb34511 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Fri, 21 Jun 2024 10:10:11 +0200 Subject: [PATCH 25/25] postgres: option to enable quorum-based replication Signed-off-by: Andrei Kvapil --- packages/apps/postgres/Chart.yaml | 2 +- packages/apps/postgres/README.md | 12 +++++++----- packages/apps/postgres/templates/db.yaml | 3 +++ packages/apps/postgres/values.schema.json | 17 ++++++++++++++++- packages/apps/postgres/values.yaml | 9 ++++++++- packages/apps/versions_map | 3 ++- 6 files changed, 37 insertions(+), 9 deletions(-) diff --git a/packages/apps/postgres/Chart.yaml b/packages/apps/postgres/Chart.yaml index 89dee73f..eb9ab8cc 100644 --- a/packages/apps/postgres/Chart.yaml +++ b/packages/apps/postgres/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.1 +version: 0.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/packages/apps/postgres/README.md b/packages/apps/postgres/README.md index 5bdf290f..6fbfc582 100644 --- a/packages/apps/postgres/README.md +++ b/packages/apps/postgres/README.md @@ -35,11 +35,13 @@ more details: ### Common parameters -| Name | Description | Value | -| ---------- | ----------------------------------------------- | ------- | -| `external` | Enable external access from outside the cluster | `false` | -| `size` | Persistent Volume size | `10Gi` | -| `replicas` | Number of MariaDB replicas | `2` | +| Name | Description | Value | +| ------------------------ | ----------------------------------------------------------------------------------------------------------------------- | ------- | +| `external` | Enable external access from outside the cluster | `false` | +| `size` | Persistent Volume size | `10Gi` | +| `replicas` | Number of Postgres replicas | `2` | +| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed. | `0` | +| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances). | `0` | ### Configuration parameters diff --git a/packages/apps/postgres/templates/db.yaml b/packages/apps/postgres/templates/db.yaml index 7c7d5b9e..7c1483a1 100644 --- a/packages/apps/postgres/templates/db.yaml +++ b/packages/apps/postgres/templates/db.yaml @@ -11,6 +11,9 @@ spec: parameters: max_wal_senders: "30" + minSyncReplicas: {{ .Values.quorum.minSyncReplicas }} + maxSyncReplicas: {{ .Values.quorum.maxSyncReplicas }} + monitoring: enablePodMonitor: true diff --git a/packages/apps/postgres/values.schema.json b/packages/apps/postgres/values.schema.json index 11e09d44..51b81336 100644 --- a/packages/apps/postgres/values.schema.json +++ b/packages/apps/postgres/values.schema.json @@ -14,9 +14,24 @@ }, "replicas": { "type": "number", - "description": "Number of MariaDB replicas", + "description": "Number of Postgres replicas", "default": 2 }, + "quorum": { + "type": "object", + "properties": { + "minSyncReplicas": { + "type": "number", + "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.", + "default": 0 + }, + "maxSyncReplicas": { + "type": "number", + "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).", + "default": 0 + } + } + }, "databases": { "type": "object", "description": "Databases configuration", diff --git a/packages/apps/postgres/values.yaml b/packages/apps/postgres/values.yaml index 2b7b49c1..0fdd8c19 100644 --- a/packages/apps/postgres/values.yaml +++ b/packages/apps/postgres/values.yaml @@ -2,12 +2,19 @@ ## @param external Enable external access from outside the cluster ## @param size Persistent Volume size -## @param replicas Number of MariaDB replicas +## @param replicas Number of Postgres replicas ## external: false size: 10Gi replicas: 2 +## Configuration for the quorum-based synchronous replication +## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed. +## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances). +quorum: + minSyncReplicas: 0 + maxSyncReplicas: 0 + ## @section Configuration parameters ## @param users [object] Users configuration diff --git a/packages/apps/versions_map b/packages/apps/versions_map index 712c3014..5d5d46b8 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -14,7 +14,8 @@ mysql 0.2.0 8b975ff0 mysql 0.3.0 HEAD postgres 0.1.0 f642698 postgres 0.2.0 7cd7de73 -postgres 0.2.1 HEAD +postgres 0.2.1 4a97e297 +postgres 0.3.0 HEAD rabbitmq 0.1.0 f642698 rabbitmq 0.2.0 HEAD redis 0.1.1 f642698