scottk/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-03-22 00:41:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Andrei Kvapil
2023-12-10 20:09:43 +01:00
commit 80a61c813a
260 changed files with 49370 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.sops.yaml Normal file
View File

@@ -0,0 +1,4 @@
creation_rules:
# Andrei Kvapil <kvapss@gmail.com>
- pgp: >-
3D76910F67FB6093C527A3936A895C2DB83B4289

3
TODO Normal file
View File

@@ -0,0 +1,3 @@
remove control-plane taints
namespace for kube-ovn and its plugin
main installation script and uplaod secrets to kubernetes

7
clusters/pve/Makefile Normal file
View File

@@ -0,0 +1,7 @@
include ../../hack/app-talos.mk
export SERVER = https://192.168.0.110:6443
export ENDPOINT := 192.168.0.110
export NODES_CONTROL = 192.168.0.111 192.168.0.112 192.168.0.113
export NODES_WORKERS =
export NODE := $(NODES_CONTROL) $(NODES_WORKERS)

27
clusters/pve/patch-control-plane.yaml Normal file
View File

@@ -0,0 +1,27 @@
machine:
network:
interfaces:
- interface: eth0
vip:
ip: 192.168.0.110
cluster:
apiServer:
certSANs:
- 127.0.0.1
- 192.168.0.101
controllerManager:
extraArgs:
bind-address: 0.0.0.0
#secure-port: "10257"
scheduler:
extraArgs:
bind-address: 0.0.0.0
#secure-port: "10251"
proxy:
disabled: true
discovery:
enabled: false
etcd:
advertisedSubnets:
- 192.168.0.0/24

20
clusters/pve/patch.yaml Normal file
View File

@@ -0,0 +1,20 @@
machine:
certSANs:
- 127.0.0.1
kubelet:
nodeIP:
validSubnets:
- 192.168.0.0/24
kernel:
modules:
- name: openvswitch
cluster:
network:
cni:
name: none
podSubnets:
- 10.244.0.0/16
serviceSubnets:
- 10.96.0.0/16

52
clusters/pve/secrets.yaml Normal file
View File

@@ -0,0 +1,52 @@
cluster:
id: ENC[AES256_GCM,data:rREX92fVRMSX23MSD/K0nZHPFwSVVW2KIXx2mzWczELR/9STcitfXuwxfMo=,iv:G4uV20cZIy4nkvnPiBW9vX6CbPkS8w0wO154cUk+UOA=,tag:kaVn6zsaktQ7PML+JATEgA==,type:str]
secret: ENC[AES256_GCM,data:GmcOA7NeJ+fJOZzjSHVlVHYc+et21gMmPLkZfTrt52Tez3/30eBaO0ib4pU=,iv:XqK0O87HF9pRGIOE9d2oI2wUGGcQbtmvG/T3ltgpjTQ=,tag:MlA+snQPrAas5gu808au3w==,type:str]
secrets:
bootstraptoken: ENC[AES256_GCM,data:KnZCgCvZFfZwwNX+U6PvEEu5ZnLnIgw=,iv:DapMkH4NSFsXiob7H/TdKbDU2CnHfV7XBiMt6rYGQRc=,tag:Urf0Ek8txaKpQvv96uTtMQ==,type:str]
secretboxencryptionsecret: ENC[AES256_GCM,data:rFtVYk6Croxhd0ggBjXOUUjU6hHHmU5Gc2VUIN95kauM5ZTJrkn2htH2a2g=,iv:vtSfE0J9nhKODrVF1pG+H5jTdmgoIF30Mr3SX5PnTLY=,tag:5+GOe3qJHTRz70nqqz6a1g==,type:str]
trustdinfo:
token: ENC[AES256_GCM,data:rle/nI1y0TAo0xqcWJYzl8NXLfmOU+E=,iv:L782BcUdWjG4DB12F8CSaYeaQ1mRINBxNsD/64FY9MU=,tag:ZELBSuTX5EGQapZG2y08IA==,type:str]
certs:
etcd:
crt: ENC[AES256_GCM,data:mSOVPtu1lqVrTFzvaiifQVhu1fPzSRIojQWM4bcAyrvDuep7vCIkuIsSO01O7L6SoCEekWkmjAKT5/kjWnptG09fgC/PCBdQrkw4n3hf3p3/eWRX3lA/Q9PJ0jxX7ODqM+RwQrHaNaVi8bXy59jfTJWslNDwGmQPd10+RjXVYbKyhFNH/16HNFqmUQwJJYFuZDFX/2xBVtqYnhvBzPIoxRB0PrIPH28f+fY00k98JZnHuAmoh3B+/DwHYwNcnm0jl7lDDYHBYjmKNZL0Yxql3d4rVIxIlQAkoQCeH0Qhtk1FxlvDe86UpUFFeGvu3nPgKANtL/CNBSIDy3fPfjtX0Innf3XPQJS7VWQL/TVGNDigw3P3v5UjFXwWLd0MWHHRPGdZXHC9bSDXga8vsyPugdvpNwLQ0WSqYpLs+3MUBXrjnvTa8b+E54LMO16yQsZKdi3gDY6pqXERJHH50aNEQrJk3o8CCQuaKdIv6vgR84bQfFlGErrIt41dUmDRf7C0Azwn49EZ6zUiVuOYkN/7ugoPRfORua3FCqYwtQLPux4W+4N6F/EOOwEAITBPlF3PhXBPij7dnjZQLo/hkbyzAfjvi4y2BuVH8UBGcGfGW8MiC29NIdw0qbKXzthyDRr1GpO27+W5OK49zUcO/eLSuM0KloWQeUjR10ash4y0w4pQbxiD/jJu7xKR/Epf+lvjfkY0OAPxYOw8zitAhr8C/r7r98XzYN/ek2cbaaT0MpTwsKmnIGaO2sCMoIEi5bE+5SMJS8Ke/Hq0SDLznW6z4vogM5/YYdccj1D8wy8gFUes6gKeOLP0pLM6K2s5UDMy13YRi3YMACGfGpNmRaidxlOzFQHsUQ4G7/fwP/WxnyJDlysF1u67WDFMp0uJqPFYEn8FDj0d1v+qfAi9u6EIXBP5PkLtSg/P4W7GXwsZa9cUfVjSLG98WZA0lHpRrs7wE636RC/xWr+AB+EynoVzCL/qK6HM+/yeoH0Z0b8Fk0A3t6dI0cFNWXli8VaxUCIX,iv:p+2RkOJqnLTTkhmApEDxwIv/97JiZ+YTQeVtHVaotyM=,tag:2w1Ix3ygx5U7TVO6Q6tBRw==,type:str]
key: ENC[AES256_GCM,data:irVagysT7HJ8G5Rs86cXYM4sKlxMqNL+5FB6xCvoA/CsZbS2X7DnjOEXDEMIWxhm2tI/qiFRFgjzQ4d9OAsr3lCyX1kD57BiDdMF7JR3CVAl+YBGXUe2fC+6Ku88+ts2u6R96PLILQopof+XiTltuLzAfFdHzu3fXrFtY3GFsDBurztjFq/NR7dtxrVVYpN9/E6vu0OyB3x8KMBBl8FP9Qpvd7+mhmZLQV52PX3qN7Y6dS09uo5PSRI5ZWk1RFcMkQQDTggMk5EkrqDjoTwnoZpzPWddjKb1nftlOsTOwxQzEIESQVKBlYgn2jh9UqVwszupVuVwc4P1upaO1+0cFk9W545hnOsFcUEa7x72wEaJRHG5BnHCHWdros9PU/wmDMPaLAoHM7ZIjfA5ycLR/w==,iv:CnjSXmbeD3xJPGowBSiXx9dyFHh+lTVIJEgknCavuRk=,tag:ZRgC9JoGwfXkG74IkYIBuQ==,type:str]
k8s:
crt: ENC[AES256_GCM,data:rTGdfsF7bngu6jsyCYu3KOq/SgZLCNS5ru3aCdvzNHsGTp07gCwsi9jucoxw79o7qY2t67TOShzA6egek66hqSHsFEr+ABXKhhmnOEfx0VMiAT0RGbuN2Otcme9TYFYRSX8zdyeUl043TIdvtKjk+XLdtHxRav5LnErfP33xNlfLGOY47DsSbCqVd2QlIwthD4yOjZp4oGG+sgZFSMN04niL94mA6KcAbBVQr+5xp65Ir9TPjgoSHH3bCEgpgjlYsvAKaAZqvoqo7FRFTBCwPR427w2aqhke/RffStDG4t0VktytXvWg6b9vrW4Ryd0agH16BK2UrSL7J/tqjPlEtCMx35EiCzTdGtXmo1UPAa3WS0KDfZ6tzLUMZMHe7dvE+eI+G/LxTBQL7mPsYCZTCg6eWQCk4CesFjiBBgHMi0vHeZ8dBi1WsbbsLKKlxddeKlVsS5pKbzO98uLzq1TkiphNLjI5RlFvw7PAm/nITdsIzbBvJyGRh552Zi+urjOLyjpUTUAYRjn/S1LUfzm9DL6Q5S490U1DQaZYzzOtV7Ub4SWk54maVaUPXflNwunghE5wk0uBe3331iGNl6bV7kUY4A3WPIVmHQE62vXPWnytEZbaEGyvzJFXOtG2AWpySSaspN3e4QWp3ztB4XGrRRia//kYp+1j+MBySEPbIA53o7BXLwbY9RBgXdrZzcqJmnOs3O5Bu+kVOzYkYBFUZW5LylUygtmyptmdrTC8QYSpaEumVH9Xgz5ODhz6t95K8TledYtbU3xw3N6xlna7mc3Gmjy9LsKLBoedeWDZHwoYIKs0FrIaDZY1X29B3uTlTaDAgARNg1+jfE+lqMircrCPz6xjLKSFttf+9xlL0Jyzi11oFzrKgoXrqYJBgLwupf9cYKPkdMnmwaGLFrlmjCWzRMaXJzU+p1dBdiNfJ6z6wHt01K9OxjlQy+umYAj/ecaxN+QBo12rdM+v85c29kOb024yRsqfCzyEPQemkZt70T+V+5++tJKAYD9Wz7DspsYV/t2rzo3hD1f1o13zWbDSkSM2zmkeDgZfKw==,iv:CHs1NEHT3fHNvYkS7rcUuZnqX79rnmEKXLGj1dnz8LQ=,tag:i0XbbkiBiONHaRmvWsMaMA==,type:str]
key: ENC[AES256_GCM,data:8pxW+rRhtD+VDwUz1JWDO1GzS1zMPGa9uubmFhHGZCh4dp7jg2TWLsh2k53allDXVPdUxkpPJ+S583YTYwp3+RO1skdtYeoIX+j/TMokdrTXBzDZHjB0EOHIQ2hllwM0W2HzVPieG5ghFujp7J3Ws61T1xFTV868OqmFBiFGA0lhZ2sAsFbaPOuCHCLvyGSy/onL9wO1BReK+1pnFFFCN4gVMWWlT5p4svZYRV3z1TecI8cTU4tnLfMYyD92KDapt5uUwm+9YY7abjAgCFJVbC5dvKNIQ/tUyGjL0w1or2iOzrcMMAmsNFup8EqQ9mNuV8ITfDGNfNZ5TnimwI5hnhKzq8qR2iJLAaVEtXLsCRlFXrvUEHGI4BkIOqCIZjgnywXirsFdIYL18eB9qjLiqA==,iv:qlleDnoUg5QmyFhaOpLXu96Rpppje0Sf/P29y3MPI0Y=,tag:3eb3uYJ6ljoxdczHBoG1KQ==,type:str]
k8saggregator:
crt: ENC[AES256_GCM,data:a00mEUt4ycTNzs3xNJlUJ1NmXMsDinrfgibF9TJccd+vgIvKfTobe7+xkha3ExAwRYbCjVuUxtGBBj+TtX6Fl0YU6e+ReESpekS6G5/6wAlXsbnxD9dURy4Ivo3lfv+eojmzkFhD85sWEHg27dPBd909g9X9lQneODQdxev0OQi9zhf/NDkU4ffs/1poARFL1FBCi5BIfYhmvGzUGRuPKadhjx7udwoIldc1Muu7zSlosQqamRsnuRwmmU4S9mQRZw5FZx3rxqzG/L4uAQsm8USQ+3WFuu13SCTo2K8/0ucEEKag0J3Gx+7ggGsXv/Liue8pLqHzRqx6NJiDDBuH+BQ4vFx+qXeZQ7C2g/E5U5lkytQxnmiRw3YXUXyBTcb6u6KjVnbTUGnBZ/jPYz8yR7OkRAiToJGQrnE7yPU++f74cC10Hxi3VqFFqB02IqHgrH32LNCtmsisaS09T3PywuKf9DlrbOBlNxagMit63ruv+c8nT0Pyzso3Ubz5x85+2WI/sycZxofi1JObmPY4WJOAHtSNaNoWBkxo+bRxsQ5tTjNza1peXr+hwRYnrHkqnItd629TsQylNgKlfvqfOwVDB37d1qiuh/c91mKMW+5kKDIcpSWSnGRV7XhtIbpQtUqOon0U5blhofGEgrA5OHIaWRxje5TY4C6RqF7XXw46IHCP+0WUOGPCf4hB7u2PRXfKI39Bu45ODFoLcXQVdbt9h7gib6tFnu4flLK/CFQp6S6vbYgneZ5It4F5mBSwdYLh97ekWmn/1RTyXlkfxhOoc6HGKYPjN5hvTLw99fZ3bLCco/vrSp6PTU77pQQJ46IMvtf+q0SpcVqTF7pXrD4hdNK+hpk53gOVCnaxEoWxHWjcCnsZA1i6dIT7onTN61FPuHE6Yi6M0QHJJtxzzMKsX2tEwsPKetEMYzC55HISAljENPE4ZLf5K+3tA8FJ,iv:9EamgLwLIjBOuZidYTm9zW7RIi6VhBA/0AJ8U/jMPbc=,tag:iiJyZMlUT8fRxpzlCqgwvA==,type:str]
key: ENC[AES256_GCM,data:dphIYRpqXCPNq9PlmejMmhnagAQFpF/0k2sAbBBMm/KEKLbTGs/BBx04kB5rqLd+0fb9x62xufYSdutZe/F1rzyp1OBoPhDB7aNMOYJhsMH76LqLmg/aUE2RU+OI3nxdPFBDMHvG0gvJ0b4M56rpO0nW6zQLrymwye6joAIxmIQLqG6zcBvG0S8mWE60KWaQG/RGcPf4WDjF7Udah8sR2SpPk28miQ5pRcA7GWd2qNsHjNlgklu/femSpigaglHRPnjgVGlTusg1Fx4yxMbMi8pS7VuXEFWE3xFIqt6zub0hAwBVp3kawDIKH6DCJd+e5PT2PTAgvd0zKObLPecYUfM+1maR80mYIFh5zjlFf6We9ZEzBq9Z+fDCnykAhHvU+BGeVmG3PGNxPRdM3Mjgzg==,iv:L7vo7C3iTawZSXXRoR8WDj3kMSAEtYfltOivzw/1wjI=,tag:vjW2evuBwk/zDkmnFxsLog==,type:str]
k8sserviceaccount:
key: ENC[AES256_GCM,data:5xt9xMzE76k/9R/SBdQzU7+ORjpp2zT8BeJwbi5+BoBRnnwb8zxdKv2kyTDgO8+y7R9bKaD4uk4Yit1WfYTwnyMnEvCwKjHTfaTUJFRuPw/4zBhfSmkhpecweG7VgP8C+cdIJ8stH5v0vyCXRW1vPLP1zpwtLctPwjZEtjXW43wVOaoWkJjIQuu+Dub8fGyUj278ZyL+3yrA7ifRyWT1Ox4yH5g5KnsebzZevi6/oTFl4UeFDk/QNy/UW1veMudnqnDRm4qk2JEN/Y1PJDE4J6eetNcvh2WR65CQzBw3EzqvMSo/qgq92BxMStNv+1hgAs04bcrZQT//D0oBfvF+EY1eeQJVO3j/YCevhPKnYtQWrvCoDsBtVWe7fZ9XJa4XG3okh05l6o9umVowMPHjdA==,iv:gk+IpQQy+E85iIJah4w5f5FbEB1mBb0TB1Du5UeeyLc=,tag:7vy0qcfPuinWGYPvBfu0iw==,type:str]
os:
crt: ENC[AES256_GCM,data:f/Ejncrv5EOz6C1ccBCaeMhyuonB8rn29f13FBlsH4LUvCGgSLPamSaIgq4LNN2ekEfUGUJ/RYDGAIyQeW1hOfkzLO/4kyLIwKOlWFSF+2dsPrzSVVnOLs5U8DeUf7FEhomOq5GGyPceMM5ys0nj4vSB+Q2ULI7URQwCqHQjXCaCS0ccIqCFXHO0V+ckhvdBHC0GzJYnJ6hGZHItt2yfaUvDBumBDucmbv8ncvwL3KlVH1DFzPQJjFOwE3K7gT8aGqnUT5dJS0ShTd2Ks0VbTdkNuCH4owCjzhU3dt8B0gBvChgTg74wQnpc2ZEUI32qfMSLjucRV3IEZT3pV/GBbLzdjsIDBecvz0MMjhRvOLynzm//TxzCclcwAQP2hpuKfrcF0l15bkSLDZeH6STFbNaSNepIsVgG9GhiyVoFVYM+PIn9FxmYU9D7mQNGNqhctaGthO4VwwhKg2346ZpPJnnTuet74ccr7ZoubBiHi/ClC1xhZsjDSvHUlFlls7+FlkVUwcTaYZ9uH7RGZxuPkdlLsD8lwv6qX2KDIC1XVqZ32g9hkzIdy4KYR1NNMKi8wlqSM8+b+uA/msOkTtTRZ0u/jTQOVZOP6um5WrtQpRikejy9D7VYDVPm79dP0jxI+t+3hxFFncovuNDRfZI+dZ6V0ieZ6nTIuvOvcK3WdVj18yzktL9a10Pic9hTMp2r6LENBPLo9gigw2NH7dbDrIKBTyBWidLfIxTWIXhoPDN7v2s1ZFZ7+6zd5D+8i1fmr0r+3/MTNBtbDJvif5QycL5a4SteBz40kNa8dLqwlfH51SpBq7CG0cZC4YPol26XyVVwBWxKdzok0KzNB7ypymxItySHYWMoiAB1gFWH8SuVsilJ,iv:HBT8v13oU4DmKkTKGXrpazLcRJIWC3AyHxSOm9gkc94=,tag:XN/0e2QDPJ1l//vn5uFShA==,type:str]
key: ENC[AES256_GCM,data:gF5RDJ8kPx/xaLitTvufL+y8zUrh+NPW13B2BNaEbylGY7VakC1sIvEf41TQeqI3bajt/3Nq7ftyi9xKtHAzGkp6qEbg4UnkL3QnoK9jHirV68G5beLk3MrbGLaAXdTDkb+ZOfzA9Q5rj67hofOvskkZw1YEo6HrV1VBs69Gz25siJ1KGmjmvRaJrKZS0Di63XGKdzU0VFOI3twUJVrPsMXqJ4ueGbGUnpCrLKQreX3vdjNU,iv:qrHb1e/fswuxHWb7FT6RYOJnY4cuLDDN6M3IGDrgvOI=,tag:Y/OUqoMVoCHmCKlwXwLSYA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-12-08T09:27:31Z"
mac: ENC[AES256_GCM,data:gtlCdy70N3N87o2h4OudXw36qrpHrkYNk53EMPe8TFUmR5LtFN9c2vaQI8vSfd+DwmDeK5vk9HLKzp8ovYxxo9otF/Im3+Hi4Tt0mXZ3ZLrNDCza35esjoXRvkXqIbPbzV8I8RV8VNqQTjgI41klPcn2whT5kbpQAeCrQQiWm5M=,iv:YNNOCmXKJ4MoFo9GrnLYIs/KKazuiXWe2qrGnLjAgpA=,tag:xKj9NhfFpR9BjbGp/HcymQ==,type:str]
pgp:
- created_at: "2023-12-08T09:27:31Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcDMA28W6DUHn5DiAQwAmFZuAd0j+aVPVu8Tkcd3aw1BJeKfprmRkF/O6O7/NCsI
pmeMaCTOOiJ4m44GyrTzVSaMRcPKP7TanpiquTefG85jUVfzYFS4c9lffuITd+5b
ht+kOI7dhphAQF/BfS+IcSY6sHRw4XGeGa2EjTE+edAL33AUMdUvPmdzOXttef7V
J9enfJAxRDLza8wMW26NBh7n5cv2mqE+utRW/PEkR95Rt7r1RdgG0daAhaFOyoCr
Jabl/1KXTfcvs1q+ymk8WXakM7lc1PQEJqgKuGW982NlVanfGiDf2qU0ag48grQd
8hgvkXajLe74TD/O84MIeUCNbEPVBkGJzruzpH+g1CTKymfBo+cD39B1Jz6o5h2q
JdNvJuPGcD+nyEvb9N7UgzhQxti0512eQNQRN658zCi8LKn0zOYSJkwGinCZCYZP
cqsbmIWrS2gW5ip+UT9IXAMkFbiORKnxFY9lkmcA7m7Ar9liqtzh1aQ3LYUHU0GB
D4HkQXnNNJo4wBS/iqAZ0lEBOfQWZ73VY7hjQy0yZ+mkZSNuVrPYgqVXvlTR4qdH
fUvr17EX23oUXreRWEnyjHSnZH02TGXa7Rk4h0IiU1PJlxyuUl1WRQPq4qVkTMKE
FqM=
=93xL
-----END PGP MESSAGE-----
fp: 3D76910F67FB6093C527A3936A895C2DB83B4289
unencrypted_suffix: _unencrypted
version: 3.7.3

25
hack/app-helm.mk Normal file
View File

@@ -0,0 +1,25 @@
PUSH := 1
LOAD := 0
.DEFAULT_GOAL=help
.PHONY=help show diff apply delete update image
help:
@echo "USAGE\n"
@echo "Show app manifests:\n\
make show ENV=<environment_name> INSTANCE=<instance_name>\n"
@echo "Diff app manifests:\n\
make diff ENV=<environment_name> INSTANCE=<instance_name>\n"
@echo "Deploy app manifests:\n\
make show ENV=<environment_name> INSTANCE=<instance_name>\n"
@echo "Delete app manifests:\n\
make diff ENV=<environment_name> INSTANCE=<instance_name>\n"
@make -sq update 2>/dev/null || [ "$$?" != 1 ] \
|| echo "Download app manifests from upstream\n\
make update\n"
@make -sq image 2>/dev/null || [ "$$?" != 1 ] \
|| echo "Build docker image\n\
make image PUSH=<0|1> PULL=<0|1>\n"
show diff apply delete:
@../../hack/app-helm.sh $@

74
hack/app-helm.sh Executable file
View File

@@ -0,0 +1,74 @@
#!/bin/sh
set -e
ensure_namespace() {
if ! nsSecLabel=$(kubectl get "namespace/$namespace" -o jsonpath="{ .metadata.labels['pod-security\.kubernetes\.io/enforce'] }"); then
if [ "$createNamespace" = true ]; then
(set -x; kubectl create namespace "$namespace")
fi
fi
if [ "$nsSecLabel" != privileged ] && [ "$privilegedNamespace" = true ]; then
(set -x; kubectl label namespace "$namespace" pod-security.kubernetes.io/enforce=privileged --overwrite)
fi
if [ "$nsSecLabel" = privileged ] && [ "$privilegedNamespace" != true ]; then
(set -x; kubectl label namespace "$namespace" pod-security.kubernetes.io/enforce- --overwrite)
fi
}
ensure_crds() {
if [ "$crdsPolicy" != "CreateReplace" ]; then
return
fi
crds=$(mktemp)
"$0" show | yq e "select(.kind|downcase == \"customresourcedefinition\")
| .metadata.annotations.\"meta.helm.sh/release-name\"=\"$name\"
| .metadata.annotations.\"meta.helm.sh/release-namespace\"=\"$namespace\"
| .metadata.labels.\"app.kubernetes.io/managed-by\"=\"Helm\"
" > "$crds"
# We use kubectl create+replace instead of apply to avoid having last-applied configuration
if [ -s "$crds" ]; then
if [ "$crdsPolicy" = "CreateReplace" ]; then
(set -x; kubectl apply --server-side -f "$crds" --force-conflicts)
fi
fi
rm -f "$crds"
}
name=$(yq eval-all '[._helm.name].0' values.yaml)
namespace=$(yq eval-all '[._helm.namespace].0' values.yaml)
createNamespace=$(yq eval-all '[._helm.createNamespace].0' values.yaml)
privilegedNamespace=$(yq eval-all '[._helm.privilegedNamespace].0' values.yaml)
crdsPolicy=$(yq eval-all '[._helm.crds].0' values.yaml)
case null in
$name|$namespace)
echo "$envFile has no '_helm.name' or '_helm.namespace' fields" >&2
exit 1
;;
esac
case "$1" in
show)
set -x
helm template "$name" -n "$namespace" . --include-crds
;;
diff)
set -x
helm diff upgrade --allow-unreleased "$name" -n "$namespace" . --show-secrets
;;
apply)
ensure_namespace
ensure_crds
crdflag=
if [ "$crdsPolicy" != "Create" ]; then
crdflag=--skip-crds
fi
(set -x; helm upgrade -i "$name" -n "$namespace" . $crdflag)
;;
delete)
(set -x; helm uninstall "$name" -n "$namespace")
;;
*)
echo "Command "$1" is not implented!" >&2
exit 1
;;
esac

22
hack/app-talos.mk Normal file
View File

@@ -0,0 +1,22 @@
.DEFAULT_GOAL=help
.PHONY=init gen clean members diff apply dashboard
help:
@echo "USAGE\n"
@echo "Prepare secrets and basic files for new cluster:\n\
make init\n"
@echo "Generate configuration files:\n\
make gen\n"
@echo "Remove generated files:\n\
make clean\n"
@echo "Show etcd members:\n\
make members\n"
@echo "Diff currently generated configuration:\n\
make diff\n"
@echo "Apply currently generated configuration to the cluster:\n\
make apply\n"
@echo "Show dashboard:\n\
make dashboard\n"
init gen clean members diff apply dashboard:
@../../hack/app-talos.sh $@

75
hack/app-talos.sh Executable file
View File

@@ -0,0 +1,75 @@
#!/bin/sh
set -e
export TALOSCONFIG=talosconfig
usage() {
echo "Usage:"
echo " make <init|gen|clean|members|diff|dashboard> SERVER=https://xxx:6443 [NODE=127.0.0.1]"
exit 1
}
if [ "$1" != clean ] && [ -z "$SERVER" ]; then
usage
fi
patches=""
if [ -f patch.yaml ]; then
patches="$patches --config-patch=@patch.yaml"
fi
if [ -f patch-control-plane.yaml ]; then
patches="$patches --config-patch-control-plane=@patch-control-plane.yaml"
fi
if [ -f patch-worker.yaml ]; then
patches="$patches --config-patch-worker=@patch-worker.yaml"
fi
nodes_control=$(echo $NODES_CONTROL | tr ' ' ,)
nodes_workers=$(echo $NODES_WORKERS | tr ' ' ,)
case "$1" in
init)
set -x
talosctl gen secrets -o secrets.yaml
sops --encrypt -i secrets.yaml || rm -f secrets.yaml
;;
gen)
name="$(basename "${PWD}")"
set -x
sops -d secrets.yaml | talosctl gen config "$name" "$SERVER" --with-secrets /dev/stdin --with-docs=false $patches --force
talosctl --talosconfig talosconfig config endpoint ${ENDPOINT:-127.0.0.1}
talosctl --talosconfig talosconfig config node $NODE
;;
clean)
set -x
rm -f controlplane.yaml worker.yaml talosconfig kubeconfig
;;
members)
nodes=$(echo $NODES_CONTROL | tr ' ' ,)
set -x
talosctl etcd members -n "$nodes"
;;
diff)
if [ -n "$nodes_control" ]; then
(set -x; talosctl apply-config -n "$nodes_control" -f controlplane.yaml --dry-run)
fi
if [ -n "$nodes_workers" ]; then
(set -x; talosctl apply-config -n "$nodes_workers" -f worker.yaml --dry-run)
fi
;;
apply)
nodes=$(echo $NODES_CONTROL | tr ' ' ,)
if [ -n "$nodes_control" ]; then
(set -x; talosctl apply-config -n "$nodes_control" -f controlplane.yaml)
fi
nodes=$(echo $NODES_WORKERS | tr ' ' ,)
if [ -n "$nodes_workers" ]; then
(set -x; talosctl apply-config -n "$nodes_workers" -f worker.yaml)
fi
;;
dashboard)
(set -x; talosctl dashboard)
;;
*)
usage
;;
esac

2
system/cert-manager/.helmignore Normal file
View File

@@ -0,0 +1,2 @@
images
hack

2
system/cert-manager/Chart.yaml Normal file
View File

@@ -0,0 +1,2 @@
name: app
version: 0.0.0

7
system/cert-manager/Makefile Normal file
View File

@@ -0,0 +1,7 @@
include ../../hack/app-helm.mk
update:
rm -rf charts
helm repo add jetstack https://charts.jetstack.io
helm repo update jetstack
helm pull jetstack/cert-manager --untar --untardir charts

5
system/cert-manager/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Cert-manager
Cloud native X.509 certificate management for Kubernetes and OpenShift.
- Docs: https://cert-manager.io/docs/

24
system/cert-manager/charts/cert-manager/Chart.yaml Normal file
View File

@@ -0,0 +1,24 @@
annotations:
artifacthub.io/prerelease: "false"
artifacthub.io/signKey: |
fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
apiVersion: v1
appVersion: v1.12.3
description: A Helm chart for cert-manager
home: https://github.com/cert-manager/cert-manager
icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png
keywords:
- cert-manager
- kube-lego
- letsencrypt
- tls
kubeVersion: '>= 1.22.0-0'
maintainers:
- email: cert-manager-maintainers@googlegroups.com
name: cert-manager-maintainers
url: https://cert-manager.io
name: cert-manager
sources:
- https://github.com/cert-manager/cert-manager
version: v1.12.3

271
system/cert-manager/charts/cert-manager/README.md Normal file
View File

@@ -0,0 +1,271 @@
# cert-manager
cert-manager is a Kubernetes addon to automate the management and issuance of
TLS certificates from various issuing sources.
It will ensure certificates are valid and up to date periodically, and attempt
to renew certificates at an appropriate time before expiry.
## Prerequisites
- Kubernetes 1.20+
## Installing the Chart
Full installation instructions, including details on how to configure extra
functionality in cert-manager can be found in the [installation docs](https://cert-manager.io/docs/installation/kubernetes/).
Before installing the chart, you must first install the cert-manager CustomResourceDefinition resources.
This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources.
```bash
$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.3/cert-manager.crds.yaml
```
To install the chart with the release name `my-release`:
```console
## Add the Jetstack Helm repository
$ helm repo add jetstack https://charts.jetstack.io
## Install the cert-manager helm chart
$ helm install my-release --namespace cert-manager --version v1.12.3 jetstack/cert-manager
```
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in [our documentation](https://cert-manager.io/docs/configuration/).
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the
[Securing Ingresses documentation](https://cert-manager.io/docs/usage/ingress/).
> **Tip**: List all releases using `helm list`
## Upgrading the Chart
Special considerations may be required when upgrading the Helm chart, and these
are documented in our full [upgrading guide](https://cert-manager.io/docs/installation/upgrading/).
**Please check here before performing upgrades!**
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```console
$ helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
If you want to completely uninstall cert-manager from your cluster, you will also need to
delete the previously installed CustomResourceDefinition resources:
```console
$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.3/cert-manager.crds.yaml
```
## Configuration
The following table lists the configurable parameters of the cert-manager chart and their default values.
| Parameter | Description | Default |
| --------- | ----------- | ------- |
| `global.imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` |
| `global.commonLabels` | Labels to apply to all resources | `{}` |
| `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` |
| `global.priorityClassName`| Priority class name for cert-manager and webhook pods | `""` |
| `global.podSecurityPolicy.enabled` | If `true`, create and use PodSecurityPolicy (includes sub-charts) | `false` |
| `global.podSecurityPolicy.useAppArmor` | If `true`, use Apparmor seccomp profile in PSP | `true` |
| `global.leaderElection.namespace` | Override the namespace used to store the ConfigMap for leader election | `kube-system` |
| `global.leaderElection.leaseDuration` | The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate | |
| `global.leaderElection.renewDeadline` | The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration | |
| `global.leaderElection.retryPeriod` | The duration the clients should wait between attempting acquisition and renewal of a leadership | |
| `installCRDs` | If true, CRD resources will be installed as part of the Helm chart. If enabled, when uninstalling CRD resources will be deleted causing all installed custom resources to be DELETED | `false` |
| `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` |
| `image.tag` | Image tag | `v1.12.3` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `replicaCount` | Number of cert-manager replicas | `1` |
| `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod |
| `featureGates` | Set of comma-separated key=value pairs that describe feature gates on the controller. Some feature gates may also have to be enabled on other components, and can be set supplying the `feature-gate` flag to `<component>.extraArgs` | `` |
| `extraArgs` | Optional flags for cert-manager | `[]` |
| `extraEnv` | Optional environment variables for cert-manager | `[]` |
| `serviceAccount.create` | If `true`, create a new service account | `true` |
| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | |
| `serviceAccount.annotations` | Annotations to add to the service account | |
| `serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` |
| `volumes` | Optional volumes for cert-manager | `[]` |
| `volumeMounts` | Optional volume mounts for cert-manager | `[]` |
| `resources` | CPU/memory resource requests/limits | `{}` |
| `securityContext` | Security context for the controller pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
| `containerSecurityContext` | Security context to be set on the controller component container | refer to [Default Security Contexts](#default-security-contexts) |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `affinity` | Node affinity for pod assignment | `{}` |
| `tolerations` | Node tolerations for pod assignment | `[]` |
| `topologySpreadConstraints` | Topology spread constraints for pod assignment | `[]` |
| `livenessProbe.enabled` | Enable or disable the liveness probe for the controller container in the controller Pod. See https://cert-manager.io/docs/installation/best-practice/ to learn about when you might want to enable this livenss probe. | `false` |
| `livenessProbe.initialDelaySeconds` | The liveness probe initial delay (in seconds) | `10` |
| `livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` |
| `livenessProbe.timeoutSeconds` | The liveness probe timeout (in seconds) | `10` |
| `livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` |
| `livenessProbe.successThreshold` | The liveness probe success threshold | `1` |
| `livenessProbe.failureThreshold` | The liveness probe failure threshold | `8` |
| `ingressShim.defaultIssuerName` | Optional default issuer to use for ingress resources | |
| `ingressShim.defaultIssuerKind` | Optional default issuer kind to use for ingress resources | |
| `ingressShim.defaultIssuerGroup` | Optional default issuer group to use for ingress resources | |
| `prometheus.enabled` | Enable Prometheus monitoring | `true` |
| `prometheus.servicemonitor.enabled` | Enable Prometheus Operator ServiceMonitor monitoring | `false` |
| `prometheus.servicemonitor.namespace` | Define namespace where to deploy the ServiceMonitor resource | (namespace where you are deploying) |
| `prometheus.servicemonitor.prometheusInstance` | Prometheus Instance definition | `default` |
| `prometheus.servicemonitor.targetPort` | Prometheus scrape port | `9402` |
| `prometheus.servicemonitor.path` | Prometheus scrape path | `/metrics` |
| `prometheus.servicemonitor.interval` | Prometheus scrape interval | `60s` |
| `prometheus.servicemonitor.labels` | Add custom labels to ServiceMonitor | |
| `prometheus.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` |
| `prometheus.servicemonitor.honorLabels` | Enable label honoring for metrics scraped by Prometheus (see [Prometheus scrape config docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) for details). By setting `honorLabels` to `true`, Prometheus will prefer label contents given by cert-manager on conflicts. Can be used to remove the "exported_namespace" label for example. | `false` |
| `podAnnotations` | Annotations to add to the cert-manager pod | `{}` |
| `deploymentAnnotations` | Annotations to add to the cert-manager deployment | `{}` |
| `podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` |
| `podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` |
| `podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | |
| `podDnsPolicy` | Optional cert-manager pod [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy) | |
| `podDnsConfig` | Optional cert-manager pod [DNS configurations](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-config) | |
| `podLabels` | Labels to add to the cert-manager pod | `{}` |
| `serviceLabels` | Labels to add to the cert-manager controller service | `{}` |
| `serviceAnnotations` | Annotations to add to the cert-manager service | `{}` |
| `http_proxy` | Value of the `HTTP_PROXY` environment variable in the cert-manager pod | |
| `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | |
| `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | |
| `dns01RecursiveNameservers` | Comma separated string with host and port of the recursive nameservers cert-manager should query | `` |
| `dns01RecursiveNameserversOnly` | Forces cert-manager to only use the recursive nameservers for verification. | `false` |
| `enableCertificateOwnerRef` | When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted | `false` |
| `webhook.replicaCount` | Number of cert-manager webhook replicas | `1` |
| `webhook.timeoutSeconds` | Seconds the API server should wait the webhook to respond before treating the call as a failure. | `10` |
| `webhook.podAnnotations` | Annotations to add to the webhook pods | `{}` |
| `webhook.podLabels` | Labels to add to the cert-manager webhook pod | `{}` |
| `webhook.serviceLabels` | Labels to add to the cert-manager webhook service | `{}` |
| `webhook.deploymentAnnotations` | Annotations to add to the webhook deployment | `{}` |
| `webhook.podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` |
| `webhook.podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` |
| `webhook.podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | |
| `webhook.mutatingWebhookConfigurationAnnotations` | Annotations to add to the mutating webhook configuration | `{}` |
| `webhook.validatingWebhookConfigurationAnnotations` | Annotations to add to the validating webhook configuration | `{}` |
| `webhook.serviceAnnotations` | Annotations to add to the webhook service | `{}` |
| `webhook.config` | WebhookConfiguration YAML used to configure flags for the webhook. Generates a ConfigMap containing contents of the field. See `values.yaml` for example. | `{}` |
| `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` |
| `webhook.serviceAccount.create` | If `true`, create a new service account for the webhook component | `true` |
| `webhook.serviceAccount.name` | Service account for the webhook component to be used. If not set and `webhook.serviceAccount.create` is `true`, a name is generated using the fullname template | |
| `webhook.serviceAccount.annotations` | Annotations to add to the service account for the webhook component | |
| `webhook.serviceAccount.automountServiceAccountToken` | Automount API credentials for the webhook Service Account | |
| `webhook.resources` | CPU/memory resource requests/limits for the webhook pods | `{}` |
| `webhook.nodeSelector` | Node labels for webhook pod assignment | `{}` |
| `webhook.networkPolicy.enabled` | Enable default network policies for webhooks egress and ingress traffic | `false` |
| `webhook.networkPolicy.ingress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` |
| `webhook.networkPolicy.egress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` |
| `webhook.affinity` | Node affinity for webhook pod assignment | `{}` |
| `webhook.tolerations` | Node tolerations for webhook pod assignment | `[]` |
| `webhook.topologySpreadConstraints` | Topology spread constraints for webhook pod assignment | `[]` |
| `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` |
| `webhook.image.tag` | Webhook image tag | `v1.12.3` |
| `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` |
| `webhook.securePort` | The port that the webhook should listen on for requests. | `10250` |
| `webhook.securityContext` | Security context for webhook pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
| `webhook.containerSecurityContext` | Security context to be set on the webhook component container | refer to [Default Security Contexts](#default-security-contexts) |
| `webhook.hostNetwork` | If `true`, run the Webhook on the host network. | `false` |
| `webhook.serviceType` | The type of the `Service`. | `ClusterIP` |
| `webhook.loadBalancerIP` | The specific load balancer IP to use (when `serviceType` is `LoadBalancer`). | |
| `webhook.url.host` | The host to use to reach the webhook, instead of using internal cluster DNS for the service. | |
| `webhook.livenessProbe.failureThreshold` | The liveness probe failure threshold | `3` |
| `webhook.livenessProbe.initialDelaySeconds` | The liveness probe initial delay (in seconds) | `60` |
| `webhook.livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` |
| `webhook.livenessProbe.successThreshold` | The liveness probe success threshold | `1` |
| `webhook.livenessProbe.timeoutSeconds` | The liveness probe timeout (in seconds) | `1` |
| `webhook.readinessProbe.failureThreshold` | The readiness probe failure threshold | `3` |
| `webhook.readinessProbe.initialDelaySeconds` | The readiness probe initial delay (in seconds) | `5` |
| `webhook.readinessProbe.periodSeconds` | The readiness probe period (in seconds) | `5` |
| `webhook.readinessProbe.successThreshold` | The readiness probe success threshold | `1` |
| `webhook.readinessProbe.timeoutSeconds` | The readiness probe timeout (in seconds) | `1` |
| `cainjector.enabled` | Toggles whether the cainjector component should be installed (required for the webhook component to work) | `true` |
| `cainjector.replicaCount` | Number of cert-manager cainjector replicas | `1` |
| `cainjector.podAnnotations` | Annotations to add to the cainjector pods | `{}` |
| `cainjector.podLabels` | Labels to add to the cert-manager cainjector pod | `{}` |
| `cainjector.deploymentAnnotations` | Annotations to add to the cainjector deployment | `{}` |
| `cainjector.podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` |
| `cainjector.podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` |
| `cainjector.podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | |
| `cainjector.extraArgs` | Optional flags for cert-manager cainjector component | `[]` |
| `cainjector.serviceAccount.create` | If `true`, create a new service account for the cainjector component | `true` |
| `cainjector.serviceAccount.name` | Service account for the cainjector component to be used. If not set and `cainjector.serviceAccount.create` is `true`, a name is generated using the fullname template | |
| `cainjector.serviceAccount.annotations` | Annotations to add to the service account for the cainjector component | |
| `cainjector.serviceAccount.automountServiceAccountToken` | Automount API credentials for the cainjector Service Account | `true` |
| `cainjector.resources` | CPU/memory resource requests/limits for the cainjector pods | `{}` |
| `cainjector.nodeSelector` | Node labels for cainjector pod assignment | `{}` |
| `cainjector.affinity` | Node affinity for cainjector pod assignment | `{}` |
| `cainjector.tolerations` | Node tolerations for cainjector pod assignment | `[]` |
| `cainjector.topologySpreadConstraints` | Topology spread constraints for cainjector pod assignment | `[]` |
| `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` |
| `cainjector.image.tag` | cainjector image tag | `v1.12.3` |
| `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` |
| `cainjector.securityContext` | Security context for cainjector pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
| `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | refer to [Default Security Contexts](#default-security-contexts) |
| `acmesolver.image.repository` | acmesolver image repository | `quay.io/jetstack/cert-manager-acmesolver` |
| `acmesolver.image.tag` | acmesolver image tag | `v1.12.3` |
| `acmesolver.image.pullPolicy` | acmesolver image pull policy | `IfNotPresent` |
| `startupapicheck.enabled` | Toggles whether the startupapicheck Job should be installed | `true` |
| `startupapicheck.securityContext` | Security context for startupapicheck pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
| `startupapicheck.containerSecurityContext` | Security context to be set on startupapicheck component container | refer to [Default Security Contexts](#default-security-contexts) |
| `startupapicheck.timeout` | Timeout for 'kubectl check api' command | `1m` |
| `startupapicheck.backoffLimit` | Job backoffLimit | `4` |
| `startupapicheck.jobAnnotations` | Optional additional annotations to add to the startupapicheck Job | `{}` |
| `startupapicheck.podAnnotations` | Optional additional annotations to add to the startupapicheck Pods | `{}` |
| `startupapicheck.extraArgs` | Optional additional arguments for startupapicheck | `[]` |
| `startupapicheck.resources` | CPU/memory resource requests/limits for the startupapicheck pod | `{}` |
| `startupapicheck.nodeSelector` | Node labels for startupapicheck pod assignment | `{}` |
| `startupapicheck.affinity` | Node affinity for startupapicheck pod assignment | `{}` |
| `startupapicheck.tolerations` | Node tolerations for startupapicheck pod assignment | `[]` |
| `startupapicheck.podLabels` | Optional additional labels to add to the startupapicheck Pods | `{}` |
| `startupapicheck.image.repository` | startupapicheck image repository | `quay.io/jetstack/cert-manager-ctl` |
| `startupapicheck.image.tag` | startupapicheck image tag | `v1.12.3` |
| `startupapicheck.image.pullPolicy` | startupapicheck image pull policy | `IfNotPresent` |
| `startupapicheck.serviceAccount.create` | If `true`, create a new service account for the startupapicheck component | `true` |
| `startupapicheck.serviceAccount.name` | Service account for the startupapicheck component to be used. If not set and `startupapicheck.serviceAccount.create` is `true`, a name is generated using the fullname template | |
| `startupapicheck.serviceAccount.annotations` | Annotations to add to the service account for the startupapicheck component | |
| `startupapicheck.serviceAccount.automountServiceAccountToken` | Automount API credentials for the startupapicheck Service Account | `true` |
| `maxConcurrentChallenges` | The maximum number of challenges that can be scheduled as 'processing' at once | `60` |
### Default Security Contexts
The default pod-level and container-level security contexts, below, adhere to the [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) Pod Security Standards policies.
Default pod-level securityContext:
```yaml
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
```
Default containerSecurityContext:
```yaml
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
```
### Assigning Values
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
```console
$ helm install my-release -f values.yaml .
```
> **Tip**: You can use the default [values.yaml](https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml)
## Contributing
This chart is maintained at [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager).

15
system/cert-manager/charts/cert-manager/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,15 @@
cert-manager {{ .Chart.AppVersion }} has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://cert-manager.io/docs/configuration/
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://cert-manager.io/docs/usage/ingress/

174
system/cert-manager/charts/cert-manager/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,174 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "cert-manager.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "cert-manager.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "cert-manager.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "cert-manager.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Webhook templates
*/}}
{{/*
Expand the name of the chart.
Manually fix the 'app' and 'name' labels to 'webhook' to maintain
compatibility with the v0.9 deployment selector.
*/}}
{{- define "webhook.name" -}}
{{- printf "webhook" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "webhook.fullname" -}}
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 55 | trimSuffix "-" -}}
{{- printf "%s-webhook" $trimmedName | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "webhook.caRef" -}}
{{- template "cert-manager.namespace" }}/{{ template "webhook.fullname" . }}-ca
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "webhook.serviceAccountName" -}}
{{- if .Values.webhook.serviceAccount.create -}}
{{ default (include "webhook.fullname" .) .Values.webhook.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.webhook.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
cainjector templates
*/}}
{{/*
Expand the name of the chart.
Manually fix the 'app' and 'name' labels to 'cainjector' to maintain
compatibility with the v0.9 deployment selector.
*/}}
{{- define "cainjector.name" -}}
{{- printf "cainjector" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "cainjector.fullname" -}}
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
{{- printf "%s-cainjector" $trimmedName | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "cainjector.serviceAccountName" -}}
{{- if .Values.cainjector.serviceAccount.create -}}
{{ default (include "cainjector.fullname" .) .Values.cainjector.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.cainjector.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
startupapicheck templates
*/}}
{{/*
Expand the name of the chart.
Manually fix the 'app' and 'name' labels to 'startupapicheck' to maintain
compatibility with the v0.9 deployment selector.
*/}}
{{- define "startupapicheck.name" -}}
{{- printf "startupapicheck" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "startupapicheck.fullname" -}}
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
{{- printf "%s-startupapicheck" $trimmedName | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "startupapicheck.serviceAccountName" -}}
{{- if .Values.startupapicheck.serviceAccount.create -}}
{{ default (include "startupapicheck.fullname" .) .Values.startupapicheck.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.startupapicheck.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "chartName" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Labels that should be added on each resource
*/}}
{{- define "labels" -}}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- if eq (default "helm" .Values.creator) "helm" }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
helm.sh/chart: {{ include "chartName" . }}
{{- end -}}
{{- if .Values.global.commonLabels}}
{{ toYaml .Values.global.commonLabels }}
{{- end }}
{{- end -}}
{{/*
Namespace for all resources to be installed into
If not defined in values file then the helm release namespace is used
By default this is not set so the helm release namespace will be used
This gets around an problem within helm discussed here
https://github.com/helm/helm/issues/5358
*/}}
{{- define "cert-manager.namespace" -}}
{{ .Values.namespace | default .Release.Namespace }}
{{- end -}}

117
system/cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml Normal file
View File

@@ -0,0 +1,117 @@
{{- if .Values.cainjector.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "cainjector.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
{{- with .Values.cainjector.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.cainjector.replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- with .Values.cainjector.strategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
template:
metadata:
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 8 }}
{{- with .Values.cainjector.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.cainjector.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ template "cainjector.serviceAccountName" . }}
{{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}
{{- end }}
{{- with .Values.global.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
{{- with .Values.cainjector.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}-cainjector
{{- with .Values.cainjector.image }}
image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
{{- end }}
imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }}
args:
{{- if .Values.global.logLevel }}
- --v={{ .Values.global.logLevel }}
{{- end }}
{{- with .Values.global.leaderElection }}
- --leader-election-namespace={{ .namespace }}
{{- if .leaseDuration }}
- --leader-election-lease-duration={{ .leaseDuration }}
{{- end }}
{{- if .renewDeadline }}
- --leader-election-renew-deadline={{ .renewDeadline }}
{{- end }}
{{- if .retryPeriod }}
- --leader-election-retry-period={{ .retryPeriod }}
{{- end }}
{{- end }}
{{- with .Values.cainjector.extraArgs }}
{{- toYaml . | nindent 10 }}
{{- end }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.cainjector.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cainjector.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cainjector.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cainjector.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.cainjector.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.cainjector.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.cainjector.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.cainjector.volumes }}
volumes:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

26
system/cert-manager/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- if .Values.cainjector.podDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "cainjector.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- with .Values.cainjector.podDisruptionBudget.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- with .Values.cainjector.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
{{- end }}

20
system/cert-manager/charts/cert-manager/templates/cainjector-psp-clusterrole.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if .Values.cainjector.enabled }}
{{- if .Values.global.podSecurityPolicy.enabled }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "cainjector.fullname" . }}-psp
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "cainjector.fullname" . }}
{{- end }}
{{- end }}

22
system/cert-manager/charts/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{- if .Values.cainjector.enabled }}
{{- if .Values.global.podSecurityPolicy.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cainjector.fullname" . }}-psp
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cainjector.fullname" . }}-psp
subjects:
- kind: ServiceAccount
name: {{ template "cainjector.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- end }}
{{- end }}

51
system/cert-manager/charts/cert-manager/templates/cainjector-psp.yaml Normal file
View File

@@ -0,0 +1,51 @@
{{- if .Values.cainjector.enabled }}
{{- if .Values.global.podSecurityPolicy.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "cainjector.fullname" . }}
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
{{- end }}
spec:
privileged: false
allowPrivilegeEscalation: false
allowedCapabilities: [] # default set of capabilities are implicitly allowed
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
{{- end }}
{{- end }}

103
system/cert-manager/charts/cert-manager/templates/cainjector-rbac.yaml Normal file
View File

@@ -0,0 +1,103 @@
{{- if .Values.cainjector.enabled }}
{{- if .Values.global.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cainjector.fullname" . }}
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "create", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cainjector.fullname" . }}
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cainjector.fullname" . }}
subjects:
- name: {{ template "cainjector.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
---
# leader election rules
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "cainjector.fullname" . }}:leaderelection
namespace: {{ .Values.global.leaderElection.namespace }}
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
rules:
# Used for leader election by the controller
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
# see cmd/cainjector/start.go#L113
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
# see cmd/cainjector/start.go#L137
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
verbs: ["get", "update", "patch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create"]
---
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "cainjector.fullname" . }}:leaderelection
namespace: {{ .Values.global.leaderElection.namespace }}
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "cainjector.fullname" . }}:leaderelection
subjects:
- kind: ServiceAccount
name: {{ template "cainjector.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- end }}
{{- end }}

27
system/cert-manager/charts/cert-manager/templates/cainjector-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,27 @@
{{- if .Values.cainjector.enabled }}
{{- if .Values.cainjector.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.cainjector.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ template "cainjector.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- with .Values.cainjector.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
{{- with .Values.cainjector.serviceAccount.labels }}
{{ toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}

4462
system/cert-manager/charts/cert-manager/templates/crds.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

204
system/cert-manager/charts/cert-manager/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,204 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "cert-manager.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ template "cert-manager.name" . }}
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
{{- with .Values.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- with .Values.strategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
template:
metadata:
labels:
app: {{ template "cert-manager.name" . }}
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if and .Values.prometheus.enabled (not .Values.prometheus.servicemonitor.enabled) }}
{{- if not .Values.podAnnotations }}
annotations:
{{- end }}
prometheus.io/path: "/metrics"
prometheus.io/scrape: 'true'
prometheus.io/port: '9402'
{{- end }}
spec:
serviceAccountName: {{ template "cert-manager.serviceAccountName" . }}
{{- if hasKey .Values "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
{{- end }}
{{- with .Values.global.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.volumes }}
volumes:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}-controller
{{- with .Values.image }}
image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
{{- if .Values.global.logLevel }}
- --v={{ .Values.global.logLevel }}
{{- end }}
{{- if .Values.clusterResourceNamespace }}
- --cluster-resource-namespace={{ .Values.clusterResourceNamespace }}
{{- else }}
- --cluster-resource-namespace=$(POD_NAMESPACE)
{{- end }}
{{- with .Values.global.leaderElection }}
- --leader-election-namespace={{ .namespace }}
{{- if .leaseDuration }}
- --leader-election-lease-duration={{ .leaseDuration }}
{{- end }}
{{- if .renewDeadline }}
- --leader-election-renew-deadline={{ .renewDeadline }}
{{- end }}
{{- if .retryPeriod }}
- --leader-election-retry-period={{ .retryPeriod }}
{{- end }}
{{- end }}
{{- with .Values.acmesolver.image }}
- --acme-http01-solver-image={{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}
{{- end }}
{{- with .Values.extraArgs }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.ingressShim }}
{{- if .defaultIssuerName }}
- --default-issuer-name={{ .defaultIssuerName }}
{{- end }}
{{- if .defaultIssuerKind }}
- --default-issuer-kind={{ .defaultIssuerKind }}
{{- end }}
{{- if .defaultIssuerGroup }}
- --default-issuer-group={{ .defaultIssuerGroup }}
{{- end }}
{{- end }}
{{- if .Values.featureGates }}
- --feature-gates={{ .Values.featureGates }}
{{- end }}
{{- if .Values.maxConcurrentChallenges }}
- --max-concurrent-challenges={{ .Values.maxConcurrentChallenges }}
{{- end }}
{{- if .Values.enableCertificateOwnerRef }}
- --enable-certificate-owner-ref=true
{{- end }}
{{- if .Values.dns01RecursiveNameserversOnly }}
- --dns01-recursive-nameservers-only=true
{{- end }}
{{- with .Values.dns01RecursiveNameservers }}
- --dns01-recursive-nameservers={{ . }}
{{- end }}
ports:
- containerPort: 9402
name: http-metrics
protocol: TCP
- containerPort: 9403
name: http-healthz
protocol: TCP
{{- with .Values.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 12 }}
{{- end }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.extraEnv }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.http_proxy }}
- name: HTTP_PROXY
value: {{ . }}
{{- end }}
{{- with .Values.https_proxy }}
- name: HTTPS_PROXY
value: {{ . }}
{{- end }}
{{- with .Values.no_proxy }}
- name: NO_PROXY
value: {{ . }}
{{- end }}
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.livenessProbe }}
{{- if .enabled }}
# LivenessProbe settings are based on those used for the Kubernetes
# controller-manager. See:
# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
livenessProbe:
httpGet:
port: http-healthz
path: /livez
scheme: HTTP
initialDelaySeconds: {{ .initialDelaySeconds }}
periodSeconds: {{ .periodSeconds }}
timeoutSeconds: {{ .timeoutSeconds }}
successThreshold: {{ .successThreshold }}
failureThreshold: {{ .failureThreshold }}
{{- end }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.podDnsPolicy }}
dnsPolicy: {{ . }}
{{- end }}
{{- with .Values.podDnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}

23
system/cert-manager/charts/cert-manager/templates/networkpolicy-egress.yaml Normal file
View File

@@ -0,0 +1,23 @@
{{- if .Values.webhook.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "webhook.fullname" . }}-allow-egress
namespace: {{ include "cert-manager.namespace" . }}
spec:
egress:
{{- with .Values.webhook.networkPolicy.egress }}
{{- toYaml . | nindent 2 }}
{{- end }}
podSelector:
matchLabels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- with .Values.webhook.podLabels }}
{{- toYaml . | nindent 6 }}
{{- end }}
policyTypes:
- Egress
{{- end }}

25
system/cert-manager/charts/cert-manager/templates/networkpolicy-webhooks.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if .Values.webhook.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "webhook.fullname" . }}-allow-ingress
namespace: {{ include "cert-manager.namespace" . }}
spec:
ingress:
{{- with .Values.webhook.networkPolicy.ingress }}
{{- toYaml . | nindent 2 }}
{{- end }}
podSelector:
matchLabels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- with .Values.webhook.podLabels }}
{{- toYaml . | nindent 6 }}
{{- end }}
policyTypes:
- Ingress
{{- end }}

26
system/cert-manager/charts/cert-manager/templates/poddisruptionbudget.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- if .Values.podDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "cert-manager.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- with .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- with .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
{{- end }}

18
system/cert-manager/charts/cert-manager/templates/psp-clusterrole.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if .Values.global.podSecurityPolicy.enabled }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "cert-manager.fullname" . }}-psp
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "cert-manager.fullname" . }}
{{- end }}

20
system/cert-manager/charts/cert-manager/templates/psp-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if .Values.global.podSecurityPolicy.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-psp
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-psp
subjects:
- kind: ServiceAccount
name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- end }}

49
system/cert-manager/charts/cert-manager/templates/psp.yaml Normal file
View File

@@ -0,0 +1,49 @@
{{- if .Values.global.podSecurityPolicy.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "cert-manager.fullname" . }}
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
{{- end }}
spec:
privileged: false
allowPrivilegeEscalation: false
allowedCapabilities: [] # default set of capabilities are implicitly allowed
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
{{- end }}

544
system/cert-manager/charts/cert-manager/templates/rbac.yaml Normal file
View File

@@ -0,0 +1,544 @@
{{- if .Values.global.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "cert-manager.fullname" . }}:leaderelection
namespace: {{ .Values.global.leaderElection.namespace }}
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
resourceNames: ["cert-manager-controller"]
verbs: ["get", "update", "patch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create"]
---
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "cert-manager.fullname" . }}:leaderelection
namespace: {{ .Values.global.leaderElection.namespace }}
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "cert-manager.fullname" . }}:leaderelection
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
---
# Issuer controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-issuers
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "issuers/status"]
verbs: ["update", "patch"]
- apiGroups: ["cert-manager.io"]
resources: ["issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# ClusterIssuer controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "clusterissuers/status"]
verbs: ["update", "patch"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# Certificates controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-certificates
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
verbs: ["update", "patch"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["cert-manager.io"]
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders"]
verbs: ["create", "delete", "get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# Orders controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-orders
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "orders/status"]
verbs: ["update", "patch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "challenges"]
verbs: ["get", "list", "watch"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["create", "delete"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# Challenges controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-challenges
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
rules:
# Use to update challenge resource status
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "challenges/status"]
verbs: ["update", "patch"]
# Used to watch challenge resources
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["get", "list", "watch"]
# Used to watch challenges, issuer and clusterissuer resources
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
# Need to be able to retrieve ACME account private key to complete challenges
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
# Used to create events
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
# HTTP01 rules
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: [ "gateway.networking.k8s.io" ]
resources: [ "httproutes" ]
verbs: ["get", "list", "watch", "create", "delete", "update"]
# We require the ability to specify a custom hostname when we are creating
# new ingress resources.
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
- apiGroups: ["route.openshift.io"]
resources: ["routes/custom-host"]
verbs: ["create"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges/finalizers"]
verbs: ["update"]
# DNS01 rules (duplicated above)
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
---
# ingress-shim controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests"]
verbs: ["create", "update", "delete"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/finalizers"]
verbs: ["update"]
- apiGroups: ["gateway.networking.k8s.io"]
resources: ["gateways", "httproutes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["gateway.networking.k8s.io"]
resources: ["gateways/finalizers", "httproutes/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-issuers
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-controller-issuers
subjects:
- name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
subjects:
- name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-certificates
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-controller-certificates
subjects:
- name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-orders
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-controller-orders
subjects:
- name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-challenges
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-controller-challenges
subjects:
- name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
subjects:
- name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-view
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
{{- if .Values.global.rbac.aggregateClusterRoles }}
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- end }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "orders"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-edit
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
{{- if .Values.global.rbac.aggregateClusterRoles }}
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- end }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates/status"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "orders"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
---
# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cert-manager"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["signers"]
verbs: ["approve"]
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cert-manager"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
subjects:
- name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
---
# Permission to:
# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cert-manager"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/status"]
verbs: ["update", "patch"]
- apiGroups: ["certificates.k8s.io"]
resources: ["signers"]
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
verbs: ["sign"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cert-manager"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
subjects:
- name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
{{- end }}

31
system/cert-manager/charts/cert-manager/templates/service.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- if .Values.prometheus.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "cert-manager.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- with .Values.serviceAnnotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
{{- with .Values.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 9402
name: tcp-prometheus-servicemonitor
targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
selector:
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- end }}

25
system/cert-manager/charts/cert-manager/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 2 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
{{- with .Values.serviceAccount.labels }}
{{ toYaml . | nindent 4 }}
{{- end }}
{{- end }}

45
system/cert-manager/charts/cert-manager/templates/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "cert-manager.fullname" . }}
{{- if .Values.prometheus.servicemonitor.namespace }}
namespace: {{ .Values.prometheus.servicemonitor.namespace }}
{{- else }}
namespace: {{ include "cert-manager.namespace" . }}
{{- end }}
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
prometheus: {{ .Values.prometheus.servicemonitor.prometheusInstance }}
{{- with .Values.prometheus.servicemonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if .Values.prometheus.servicemonitor.annotations }}
annotations:
{{- with .Values.prometheus.servicemonitor.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
spec:
jobLabel: {{ template "cert-manager.fullname" . }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- if .Values.prometheus.servicemonitor.namespace }}
namespaceSelector:
matchNames:
- {{ include "cert-manager.namespace" . }}
{{- end }}
endpoints:
- targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
path: {{ .Values.prometheus.servicemonitor.path }}
interval: {{ .Values.prometheus.servicemonitor.interval }}
scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }}
honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }}
{{- end }}

88
system/cert-manager/charts/cert-manager/templates/startupapicheck-job.yaml Normal file
View File

@@ -0,0 +1,88 @@
{{- if .Values.startupapicheck.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "startupapicheck.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "startupapicheck.name" . }}
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "startupapicheck"
{{- include "labels" . | nindent 4 }}
{{- with .Values.startupapicheck.jobAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
backoffLimit: {{ .Values.startupapicheck.backoffLimit }}
template:
metadata:
labels:
app: {{ include "startupapicheck.name" . }}
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "startupapicheck"
{{- include "labels" . | nindent 8 }}
{{- with .Values.startupapicheck.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.startupapicheck.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
restartPolicy: OnFailure
serviceAccountName: {{ template "startupapicheck.serviceAccountName" . }}
{{- if hasKey .Values.startupapicheck "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.startupapicheck.automountServiceAccountToken }}
{{- end }}
{{- with .Values.global.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
{{- with .Values.startupapicheck.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}-startupapicheck
{{- with .Values.startupapicheck.image }}
image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
{{- end }}
imagePullPolicy: {{ .Values.startupapicheck.image.pullPolicy }}
args:
- check
- api
- --wait={{ .Values.startupapicheck.timeout }}
{{- with .Values.startupapicheck.extraArgs }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.startupapicheck.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.startupapicheck.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.startupapicheck.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.startupapicheck.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.startupapicheck.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.startupapicheck.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.startupapicheck.volumes }}
volumes:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

24
system/cert-manager/charts/cert-manager/templates/startupapicheck-psp-clusterrole.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{- if .Values.startupapicheck.enabled }}
{{- if .Values.global.podSecurityPolicy.enabled }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "startupapicheck.fullname" . }}-psp
labels:
app: {{ include "startupapicheck.name" . }}
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "startupapicheck"
{{- include "labels" . | nindent 4 }}
{{- with .Values.startupapicheck.rbac.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "startupapicheck.fullname" . }}
{{- end }}
{{- end }}

26
system/cert-manager/charts/cert-manager/templates/startupapicheck-psp-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- if .Values.startupapicheck.enabled }}
{{- if .Values.global.podSecurityPolicy.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "startupapicheck.fullname" . }}-psp
labels:
app: {{ include "startupapicheck.name" . }}
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "startupapicheck"
{{- include "labels" . | nindent 4 }}
{{- with .Values.startupapicheck.rbac.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "startupapicheck.fullname" . }}-psp
subjects:
- kind: ServiceAccount
name: {{ template "startupapicheck.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- end }}
{{- end }}

51
system/cert-manager/charts/cert-manager/templates/startupapicheck-psp.yaml Normal file
View File

@@ -0,0 +1,51 @@
{{- if .Values.startupapicheck.enabled }}
{{- if .Values.global.podSecurityPolicy.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "startupapicheck.fullname" . }}
labels:
app: {{ include "startupapicheck.name" . }}
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "startupapicheck"
{{- include "labels" . | nindent 4 }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
{{- end }}
{{- with .Values.startupapicheck.rbac.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
privileged: false
allowPrivilegeEscalation: false
allowedCapabilities: [] # default set of capabilities are implicitly allowed
volumes:
- 'projected'
- 'secret'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
{{- end }}
{{- end }}

48
system/cert-manager/charts/cert-manager/templates/startupapicheck-rbac.yaml Normal file
View File

@@ -0,0 +1,48 @@
{{- if .Values.startupapicheck.enabled }}
{{- if .Values.global.rbac.create }}
# create certificate role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "startupapicheck.fullname" . }}:create-cert
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "startupapicheck.name" . }}
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "startupapicheck"
{{- include "labels" . | nindent 4 }}
{{- with .Values.startupapicheck.rbac.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "startupapicheck.fullname" . }}:create-cert
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "startupapicheck.name" . }}
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "startupapicheck"
{{- include "labels" . | nindent 4 }}
{{- with .Values.startupapicheck.rbac.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "startupapicheck.fullname" . }}:create-cert
subjects:
- kind: ServiceAccount
name: {{ template "startupapicheck.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- end }}
{{- end }}

27
system/cert-manager/charts/cert-manager/templates/startupapicheck-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,27 @@
{{- if .Values.startupapicheck.enabled }}
{{- if .Values.startupapicheck.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.startupapicheck.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ template "startupapicheck.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- with .Values.startupapicheck.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
app: {{ include "startupapicheck.name" . }}
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "startupapicheck"
{{- include "labels" . | nindent 4 }}
{{- with .Values.startupapicheck.serviceAccount.labels }}
{{ toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}

25
system/cert-manager/charts/cert-manager/templates/webhook-config.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if .Values.webhook.config -}}
{{- if not .Values.webhook.config.apiVersion -}}
{{- fail "webhook.config.apiVersion must be set" -}}
{{- end -}}
{{- if not .Values.webhook.config.kind -}}
{{- fail "webhook.config.kind must be set" -}}
{{- end -}}
{{- end -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "webhook.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
data:
{{- if .Values.webhook.config }}
config.yaml: |
{{ .Values.webhook.config | toYaml | nindent 4 }}
{{- end }}

185
system/cert-manager/charts/cert-manager/templates/webhook-deployment.yaml Normal file
View File

@@ -0,0 +1,185 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "webhook.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
{{- with .Values.webhook.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.webhook.replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- with .Values.webhook.strategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
template:
metadata:
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 8 }}
{{- with .Values.webhook.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.webhook.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ template "webhook.serviceAccountName" . }}
{{- if hasKey .Values.webhook "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}
{{- end }}
{{- with .Values.global.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
{{- with .Values.webhook.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.webhook.hostNetwork }}
hostNetwork: true
{{- end }}
containers:
- name: {{ .Chart.Name }}-webhook
{{- with .Values.webhook.image }}
image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
{{- end }}
imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
args:
{{- if .Values.global.logLevel }}
- --v={{ .Values.global.logLevel }}
{{- end }}
{{- if .Values.webhook.config }}
- --config=/var/cert-manager/config/config.yaml
{{- end }}
{{- $config := default .Values.webhook.config "" }}
{{ if not $config.securePort -}}
- --secure-port={{ .Values.webhook.securePort }}
{{- end }}
{{- if .Values.featureGates }}
- --feature-gates={{ .Values.featureGates }}
{{- end }}
{{- $tlsConfig := default $config.tlsConfig "" }}
{{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
- --dynamic-serving-ca-secret-name={{ template "webhook.fullname" . }}-ca
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE)
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE).svc
{{ if .Values.webhook.url.host }}
- --dynamic-serving-dns-names={{ .Values.webhook.url.host }}
{{- end }}
{{- end }}
{{- with .Values.webhook.extraArgs }}
{{- toYaml . | nindent 10 }}
{{- end }}
ports:
- name: https
protocol: TCP
{{- if $config.securePort }}
containerPort: {{ $config.securePort }}
{{- else if .Values.webhook.securePort }}
containerPort: {{ .Values.webhook.securePort }}
{{- else }}
containerPort: 6443
{{- end }}
- name: healthcheck
protocol: TCP
{{- if $config.healthzPort }}
containerPort: {{ $config.healthzPort }}
{{- else }}
containerPort: 6080
{{- end }}
livenessProbe:
httpGet:
path: /livez
{{- if $config.healthzPort }}
port: {{ $config.healthzPort }}
{{- else }}
port: 6080
{{- end }}
scheme: HTTP
initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.webhook.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.webhook.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.webhook.livenessProbe.failureThreshold }}
readinessProbe:
httpGet:
path: /healthz
{{- if $config.healthzPort }}
port: {{ $config.healthzPort }}
{{- else }}
port: 6080
{{- end }}
scheme: HTTP
initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.webhook.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.webhook.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.webhook.readinessProbe.failureThreshold }}
{{- with .Values.webhook.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.webhook.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if or .Values.webhook.config .Values.webhook.volumeMounts }}
volumeMounts:
{{- if .Values.webhook.config }}
- name: config
mountPath: /var/cert-manager/config
{{- end }}
{{- if .Values.webhook.volumeMounts }}
{{- toYaml .Values.webhook.volumeMounts | nindent 12 }}
{{- end }}
{{- end }}
{{- with .Values.webhook.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.webhook.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.webhook.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.webhook.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or .Values.webhook.config .Values.webhook.volumes }}
volumes:
{{- if .Values.webhook.config }}
- name: config
configMap:
name: {{ include "webhook.fullname" . }}
{{- end }}
{{- if .Values.webhook.volumes }}
{{- toYaml .Values.webhook.volumes | nindent 8 }}
{{- end }}
{{- end }}

46
system/cert-manager/charts/cert-manager/templates/webhook-mutating-webhook.yaml Normal file
View File

@@ -0,0 +1,46 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: {{ include "webhook.fullname" . }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
annotations:
cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote }}
{{- with .Values.webhook.mutatingWebhookConfigurationAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
- name: webhook.cert-manager.io
rules:
- apiGroups:
- "cert-manager.io"
- "acme.cert-manager.io"
apiVersions:
- "v1"
operations:
- CREATE
- UPDATE
resources:
- "*/*"
admissionReviewVersions: ["v1"]
# This webhook only accepts v1 cert-manager resources.
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
# this webhook (after the resources have been converted to v1).
matchPolicy: Equivalent
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
failurePolicy: Fail
# Only include 'sideEffects' field in Kubernetes 1.12+
sideEffects: None
clientConfig:
{{- if .Values.webhook.url.host }}
url: https://{{ .Values.webhook.url.host }}/mutate
{{- else }}
service:
name: {{ template "webhook.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
path: /mutate
{{- end }}

26
system/cert-manager/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- if .Values.webhook.podDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "webhook.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- with .Values.webhook.podDisruptionBudget.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- with .Values.webhook.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
{{- end }}

18
system/cert-manager/charts/cert-manager/templates/webhook-psp-clusterrole.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if .Values.global.podSecurityPolicy.enabled }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "webhook.fullname" . }}-psp
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "webhook.fullname" . }}
{{- end }}

20
system/cert-manager/charts/cert-manager/templates/webhook-psp-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if .Values.global.podSecurityPolicy.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "webhook.fullname" . }}-psp
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "webhook.fullname" . }}-psp
subjects:
- kind: ServiceAccount
name: {{ template "webhook.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- end }}

54
system/cert-manager/charts/cert-manager/templates/webhook-psp.yaml Normal file
View File

@@ -0,0 +1,54 @@
{{- if .Values.global.podSecurityPolicy.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "webhook.fullname" . }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
{{- end }}
spec:
privileged: false
allowPrivilegeEscalation: false
allowedCapabilities: [] # default set of capabilities are implicitly allowed
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: {{ .Values.webhook.hostNetwork }}
{{- if .Values.webhook.hostNetwork }}
hostPorts:
- max: {{ .Values.webhook.securePort }}
min: {{ .Values.webhook.securePort }}
{{- end }}
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
{{- end }}

83
system/cert-manager/charts/cert-manager/templates/webhook-rbac.yaml Normal file
View File

@@ -0,0 +1,83 @@
{{- if .Values.global.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "webhook.fullname" . }}:dynamic-serving
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames:
- '{{ template "webhook.fullname" . }}-ca'
verbs: ["get", "list", "watch", "update"]
# It's not possible to grant CREATE permission on a single resourceName.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "webhook.fullname" . }}:dynamic-serving
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "webhook.fullname" . }}:dynamic-serving
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ template "webhook.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ template "webhook.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- end }}

32
system/cert-manager/charts/cert-manager/templates/webhook-service.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "webhook.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- with .Values.webhook.serviceAnnotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
{{- with .Values.webhook.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.webhook.serviceType }}
{{- with .Values.webhook.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
ports:
- name: https
port: 443
protocol: TCP
targetPort: "https"
selector:
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"

25
system/cert-manager/charts/cert-manager/templates/webhook-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if .Values.webhook.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ template "webhook.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- with .Values.webhook.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
{{- with .Values.webhook.serviceAccount.labels }}
{{ toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}

55
system/cert-manager/charts/cert-manager/templates/webhook-validating-webhook.yaml Normal file
View File

@@ -0,0 +1,55 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ include "webhook.fullname" . }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
annotations:
cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote}}
{{- with .Values.webhook.validatingWebhookConfigurationAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
- name: webhook.cert-manager.io
namespaceSelector:
matchExpressions:
- key: "cert-manager.io/disable-validation"
operator: "NotIn"
values:
- "true"
- key: "name"
operator: "NotIn"
values:
- {{ include "cert-manager.namespace" . }}
rules:
- apiGroups:
- "cert-manager.io"
- "acme.cert-manager.io"
apiVersions:
- "v1"
operations:
- CREATE
- UPDATE
resources:
- "*/*"
admissionReviewVersions: ["v1"]
# This webhook only accepts v1 cert-manager resources.
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
# this webhook (after the resources have been converted to v1).
matchPolicy: Equivalent
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
failurePolicy: Fail
sideEffects: None
clientConfig:
{{- if .Values.webhook.url.host }}
url: https://{{ .Values.webhook.url.host }}/validate
{{- else }}
service:
name: {{ template "webhook.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
path: /validate
{{- end }}

692
system/cert-manager/charts/cert-manager/values.yaml Normal file
View File

@@ -0,0 +1,692 @@
# Default values for cert-manager.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
global:
# Reference to one or more secrets to be used when pulling images
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []
# - name: "image-pull-secret"
# Labels to apply to all resources
# Please note that this does not add labels to the resources created dynamically by the controllers.
# For these resources, you have to add the labels in the template in the cert-manager custom resource:
# eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress
# ref: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress
# eg. secretTemplate in CertificateSpec
# ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
commonLabels: {}
# team_name: dev
# Optional priority class to be used for the cert-manager pods
priorityClassName: ""
rbac:
create: true
# Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
aggregateClusterRoles: true
podSecurityPolicy:
enabled: false
useAppArmor: true
# Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose.
logLevel: 2
leaderElection:
# Override the namespace used for the leader election lease
namespace: "kube-system"
# The duration that non-leader candidates will wait after observing a
# leadership renewal until attempting to acquire leadership of a led but
# unrenewed leader slot. This is effectively the maximum duration that a
# leader can be stopped before it is replaced by another candidate.
# leaseDuration: 60s
# The interval between attempts by the acting master to renew a leadership
# slot before it stops leading. This must be less than or equal to the
# lease duration.
# renewDeadline: 40s
# The duration the clients should wait between attempting acquisition and
# renewal of a leadership.
# retryPeriod: 15s
installCRDs: false
replicaCount: 1
strategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 1
# minAvailable and maxUnavailable can either be set to an integer (e.g. 1)
# or a percentage value (e.g. 25%)
# Comma separated list of feature gates that should be enabled on the controller
# Note: do not use this field to pass feature gate values into webhook
# component as this behaviour relies on a bug that will be fixed in cert-manager 1.13
# https://github.com/cert-manager/cert-manager/pull/6093
# Use webhook.extraArgs to pass --feature-gates flag directly instead.
featureGates: ""
# The maximum number of challenges that can be scheduled as 'processing' at once
maxConcurrentChallenges: 60
image:
repository: quay.io/jetstack/cert-manager-controller
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-controller
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
pullPolicy: IfNotPresent
# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer
# resources. By default, the same namespace as cert-manager is deployed within is
# used. This namespace will not be automatically created by the Helm chart.
clusterResourceNamespace: ""
# This namespace allows you to define where the services will be installed into
# if not set then they will use the namespace of the release
# This is helpful when installing cert manager as a chart dependency (sub chart)
namespace: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# name: ""
# Optional additional annotations to add to the controller's ServiceAccount
# annotations: {}
# Automount API credentials for a Service Account.
# Optional additional labels to add to the controller's ServiceAccount
# labels: {}
automountServiceAccountToken: true
# Automounting API credentials for a particular pod
# automountServiceAccountToken: true
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
enableCertificateOwnerRef: false
# Setting Nameservers for DNS01 Self Check
# See: https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check
# Comma separated string with host and port of the recursive nameservers cert-manager should query
dns01RecursiveNameservers: ""
# Forces cert-manager to only use the recursive nameservers for verification.
# Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers
dns01RecursiveNameserversOnly: false
# Additional command line flags to pass to cert-manager controller binary.
# To see all available flags run docker run quay.io/jetstack/cert-manager-controller:<version> --help
extraArgs: []
# Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver
# - --controllers=*,-certificaterequests-approver
extraEnv: []
# - name: SOME_VAR
# value: 'some value'
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
# Pod Security Context
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# Container Security Context to be set on the controller component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
volumes: []
volumeMounts: []
# Optional additional annotations to add to the controller Deployment
# deploymentAnnotations: {}
# Optional additional annotations to add to the controller Pods
# podAnnotations: {}
podLabels: {}
# Optional annotations to add to the controller Service
# serviceAnnotations: {}
# Optional additional labels to add to the controller Service
# serviceLabels: {}
# Optional DNS settings, useful if you have a public and private DNS zone for
# the same domain on Route 53. What follows is an example of ensuring
# cert-manager can access an ingress or DNS TXT records at all times.
# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for
# the cluster to work.
# podDnsPolicy: "None"
# podDnsConfig:
# nameservers:
# - "1.1.1.1"
# - "8.8.8.8"
nodeSelector:
kubernetes.io/os: linux
ingressShim: {}
# defaultIssuerName: ""
# defaultIssuerKind: ""
# defaultIssuerGroup: ""
prometheus:
enabled: true
servicemonitor:
enabled: false
prometheusInstance: default
targetPort: 9402
path: /metrics
interval: 60s
scrapeTimeout: 30s
labels: {}
annotations: {}
honorLabels: false
# Use these variables to configure the HTTP_PROXY environment variables
# http_proxy: "http://proxy:8080"
# https_proxy: "https://proxy:8080"
# no_proxy: 127.0.0.1,localhost
# A Kubernetes Affinty, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core
# for example:
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: foo.bar.com/role
# operator: In
# values:
# - master
affinity: {}
# A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core
# for example:
# tolerations:
# - key: foo.bar.com/role
# operator: Equal
# value: master
# effect: NoSchedule
tolerations: []
# A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core
# for example:
# topologySpreadConstraints:
# - maxSkew: 2
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: ScheduleAnyway
# labelSelector:
# matchLabels:
# app.kubernetes.io/instance: cert-manager
# app.kubernetes.io/component: controller
topologySpreadConstraints: []
# LivenessProbe settings for the controller container of the controller Pod.
#
# Disabled by default, because the controller has a leader election mechanism
# which should cause it to exit if it is unable to renew its leader election
# record.
# LivenessProbe durations and thresholds are based on those used for the Kubernetes
# controller-manager. See:
# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
livenessProbe:
enabled: false
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
successThreshold: 1
failureThreshold: 8
webhook:
replicaCount: 1
timeoutSeconds: 10
# Used to configure options for the webhook pod.
# This allows setting options that'd usually be provided via flags.
# An APIVersion and Kind must be specified in your values.yaml file.
# Flags will override options that are set here.
config:
# apiVersion: webhook.config.cert-manager.io/v1alpha1
# kind: WebhookConfiguration
# The port that the webhook should listen on for requests.
# In GKE private clusters, by default kubernetes apiservers are allowed to
# talk to the cluster nodes only on 443 and 10250. so configuring
# securePort: 10250, will work out of the box without needing to add firewall
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000.
# This should be uncommented and set as a default by the chart once we graduate
# the apiVersion of WebhookConfiguration past v1alpha1.
# securePort: 10250
strategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
# Pod Security Context to be set on the webhook component Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 1
# minAvailable and maxUnavailable can either be set to an integer (e.g. 1)
# or a percentage value (e.g. 25%)
# Container Security Context to be set on the webhook component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# Optional additional annotations to add to the webhook Deployment
# deploymentAnnotations: {}
# Optional additional annotations to add to the webhook Pods
# podAnnotations: {}
# Optional additional annotations to add to the webhook Service
# serviceAnnotations: {}
# Optional additional annotations to add to the webhook MutatingWebhookConfiguration
# mutatingWebhookConfigurationAnnotations: {}
# Optional additional annotations to add to the webhook ValidatingWebhookConfiguration
# validatingWebhookConfigurationAnnotations: {}
# Additional command line flags to pass to cert-manager webhook binary.
# To see all available flags run docker run quay.io/jetstack/cert-manager-webhook:<version> --help
extraArgs: []
# Path to a file containing a WebhookConfiguration object used to configure the webhook
# - --config=<path-to-config-file>
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
## Liveness and readiness probe values
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
nodeSelector:
kubernetes.io/os: linux
affinity: {}
tolerations: []
topologySpreadConstraints: []
# Optional additional labels to add to the Webhook Pods
podLabels: {}
# Optional additional labels to add to the Webhook Service
serviceLabels: {}
image:
repository: quay.io/jetstack/cert-manager-webhook
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-webhook
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
pullPolicy: IfNotPresent
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# name: ""
# Optional additional annotations to add to the controller's ServiceAccount
# annotations: {}
# Optional additional labels to add to the webhook's ServiceAccount
# labels: {}
# Automount API credentials for a Service Account.
automountServiceAccountToken: true
# Automounting API credentials for a particular pod
# automountServiceAccountToken: true
# The port that the webhook should listen on for requests.
# In GKE private clusters, by default kubernetes apiservers are allowed to
# talk to the cluster nodes only on 443 and 10250. so configuring
# securePort: 10250, will work out of the box without needing to add firewall
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000
securePort: 10250
# Specifies if the webhook should be started in hostNetwork mode.
#
# Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
# CNI (such as calico), because control-plane managed by AWS cannot communicate
# with pods' IP CIDR and admission webhooks are not working
#
# Since the default port for the webhook conflicts with kubelet on the host
# network, `webhook.securePort` should be changed to an available port if
# running in hostNetwork mode.
hostNetwork: false
# Specifies how the service should be handled. Useful if you want to expose the
# webhook to outside of the cluster. In some cases, the control plane cannot
# reach internal services.
serviceType: ClusterIP
# loadBalancerIP:
# Overrides the mutating webhook and validating webhook so they reach the webhook
# service using the `url` field instead of a service.
url: {}
# host:
# Enables default network policies for webhooks.
networkPolicy:
enabled: false
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
egress:
- ports:
- port: 80
protocol: TCP
- port: 443
protocol: TCP
- port: 53
protocol: TCP
- port: 53
protocol: UDP
# On OpenShift and OKD, the Kubernetes API server listens on
# port 6443.
- port: 6443
protocol: TCP
to:
- ipBlock:
cidr: 0.0.0.0/0
volumes: []
volumeMounts: []
cainjector:
enabled: true
replicaCount: 1
strategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
# Pod Security Context to be set on the cainjector component Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 1
# minAvailable and maxUnavailable can either be set to an integer (e.g. 1)
# or a percentage value (e.g. 25%)
# Container Security Context to be set on the cainjector component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# Optional additional annotations to add to the cainjector Deployment
# deploymentAnnotations: {}
# Optional additional annotations to add to the cainjector Pods
# podAnnotations: {}
# Additional command line flags to pass to cert-manager cainjector binary.
# To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector:<version> --help
extraArgs: []
# Enable profiling for cainjector
# - --enable-profiling=true
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
nodeSelector:
kubernetes.io/os: linux
affinity: {}
tolerations: []
topologySpreadConstraints: []
# Optional additional labels to add to the CA Injector Pods
podLabels: {}
image:
repository: quay.io/jetstack/cert-manager-cainjector
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-cainjector
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
pullPolicy: IfNotPresent
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# name: ""
# Optional additional annotations to add to the controller's ServiceAccount
# annotations: {}
# Automount API credentials for a Service Account.
# Optional additional labels to add to the cainjector's ServiceAccount
# labels: {}
automountServiceAccountToken: true
# Automounting API credentials for a particular pod
# automountServiceAccountToken: true
volumes: []
volumeMounts: []
acmesolver:
image:
repository: quay.io/jetstack/cert-manager-acmesolver
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-acmesolver
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
# This startupapicheck is a Helm post-install hook that waits for the webhook
# endpoints to become available.
# The check is implemented using a Kubernetes Job- if you are injecting mesh
# sidecar proxies into cert-manager pods, you probably want to ensure that they
# are not injected into this Job's pod. Otherwise the installation may time out
# due to the Job never being completed because the sidecar proxy does not exit.
# See https://github.com/cert-manager/cert-manager/pull/4414 for context.
startupapicheck:
enabled: true
# Pod Security Context to be set on the startupapicheck component Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# Container Security Context to be set on the controller component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# Timeout for 'kubectl check api' command
timeout: 1m
# Job backoffLimit
backoffLimit: 4
# Optional additional annotations to add to the startupapicheck Job
jobAnnotations:
helm.sh/hook: post-install
helm.sh/hook-weight: "1"
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
# Optional additional annotations to add to the startupapicheck Pods
# podAnnotations: {}
# Additional command line flags to pass to startupapicheck binary.
# To see all available flags run docker run quay.io/jetstack/cert-manager-ctl:<version> --help
extraArgs: []
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
nodeSelector:
kubernetes.io/os: linux
affinity: {}
tolerations: []
# Optional additional labels to add to the startupapicheck Pods
podLabels: {}
image:
repository: quay.io/jetstack/cert-manager-ctl
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-ctl
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
pullPolicy: IfNotPresent
rbac:
# annotations for the startup API Check job RBAC and PSP resources
annotations:
helm.sh/hook: post-install
helm.sh/hook-weight: "-5"
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
# Automounting API credentials for a particular pod
# automountServiceAccountToken: true
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# name: ""
# Optional additional annotations to add to the Job's ServiceAccount
annotations:
helm.sh/hook: post-install
helm.sh/hook-weight: "-5"
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
# Automount API credentials for a Service Account.
automountServiceAccountToken: true
# Optional additional labels to add to the startupapicheck's ServiceAccount
# labels: {}
volumes: []
volumeMounts: []

28
system/cert-manager/templates/cluster-issuers.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
annotations:
name: letsencrypt-prod
spec:
acme:
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-stage
spec:
acme:
privateKeySecretRef:
name: letsencrypt-stage
server: https://acme-staging-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: nginx

8
system/cert-manager/values.yaml Normal file
View File

@@ -0,0 +1,8 @@
_helm:
name: cert-manager
namespace: cozy-cert-manager
createNamespace: true
crds: CreateReplace
cert-manager:
installCRDs: true

2
system/cilium/Chart.yaml Normal file
View File

@@ -0,0 +1,2 @@
name: app
version: 0.0.0

9
system/cilium/Makefile Normal file
View File

@@ -0,0 +1,9 @@
include ../../hack/app-helm.mk
update:
rm -rf charts
helm repo add cilium https://helm.cilium.io/
helm repo update cilium
helm pull cilium/cilium --untar --untardir charts
sed -i -e '/Used in iptables/d' -e '/SYS_MODULE/d' charts/cilium/values.yaml
patch -p3 < patches/fix-cgroups.patch

6
system/cilium/README.md Normal file
View File

@@ -0,0 +1,6 @@
# Cilium
Cloud Native, eBPF-based Networking, Observability, and Security.
- Docs https://docs.cilium.io
- Telegram: https://t.me/ciliumproject

24
system/cilium/charts/cilium/.helmignore Normal file
View File

@@ -0,0 +1,24 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.github/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

141
system/cilium/charts/cilium/Chart.yaml Normal file
View File

@@ -0,0 +1,141 @@
annotations:
artifacthub.io/crds: |
- kind: CiliumNetworkPolicy
version: v2
name: ciliumnetworkpolicies.cilium.io
displayName: Cilium Network Policy
description: |
Cilium Network Policies provide additional functionality beyond what
is provided by standard Kubernetes NetworkPolicy such as the ability
to allow traffic based on FQDNs, or to filter at Layer 7.
- kind: CiliumClusterwideNetworkPolicy
version: v2
name: ciliumclusterwidenetworkpolicies.cilium.io
displayName: Cilium Clusterwide Network Policy
description: |
Cilium Clusterwide Network Policies support configuring network traffic
policiies across the entire cluster, including applying node firewalls.
- kind: CiliumExternalWorkload
version: v2
name: ciliumexternalworkloads.cilium.io
displayName: Cilium External Workload
description: |
Cilium External Workload supports configuring the ability for external
non-Kubernetes workloads to join the cluster.
- kind: CiliumLocalRedirectPolicy
version: v2
name: ciliumlocalredirectpolicies.cilium.io
displayName: Cilium Local Redirect Policy
description: |
Cilium Local Redirect Policy allows local redirects to be configured
within a node to support use cases like Node-Local DNS or KIAM.
- kind: CiliumNode
version: v2
name: ciliumnodes.cilium.io
displayName: Cilium Node
description: |
Cilium Node represents a node managed by Cilium. It contains a
specification to control various node specific configuration aspects
and a status section to represent the status of the node.
- kind: CiliumIdentity
version: v2
name: ciliumidentities.cilium.io
displayName: Cilium Identity
description: |
Cilium Identity allows introspection into security identities that
Cilium allocates which identify sets of labels that are assigned to
individual endpoints in the cluster.
- kind: CiliumEndpoint
version: v2
name: ciliumendpoints.cilium.io
displayName: Cilium Endpoint
description: |
Cilium Endpoint represents the status of individual pods or nodes in
the cluster which are managed by Cilium, including enforcement status,
IP addressing and whether the networking is succesfully operational.
- kind: CiliumEndpointSlice
version: v2alpha1
name: ciliumendpointslices.cilium.io
displayName: Cilium Endpoint Slice
description: |
Cilium Endpoint Slice represents the status of groups of pods or nodes
in the cluster which are managed by Cilium, including enforcement status,
IP addressing and whether the networking is succesfully operational.
- kind: CiliumEgressGatewayPolicy
version: v2
name: ciliumegressgatewaypolicies.cilium.io
displayName: Cilium Egress Gateway Policy
description: |
Cilium Egress Gateway Policy provides control over the way that traffic
leaves the cluster and which source addresses to use for that traffic.
- kind: CiliumClusterwideEnvoyConfig
version: v2
name: ciliumclusterwideenvoyconfigs.cilium.io
displayName: Cilium Clusterwide Envoy Config
description: |
Cilium Clusterwide Envoy Config specifies Envoy resources and K8s service mappings
to be provisioned into Cilium host proxy instances in cluster context.
- kind: CiliumEnvoyConfig
version: v2
name: ciliumenvoyconfigs.cilium.io
displayName: Cilium Envoy Config
description: |
Cilium Envoy Config specifies Envoy resources and K8s service mappings
to be provisioned into Cilium host proxy instances in namespace context.
- kind: CiliumBGPPeeringPolicy
version: v2alpha1
name: ciliumbgppeeringpolicies.cilium.io
displayName: Cilium BGP Peering Policy
description: |
Cilium BGP Peering Policy instructs Cilium to create specific BGP peering
configurations.
- kind: CiliumLoadBalancerIPPool
version: v2alpha1
name: ciliumloadbalancerippools.cilium.io
displayName: Cilium Load Balancer IP Pool
description: |
Defining a Cilium Load Balancer IP Pool instructs Cilium to assign IPs to LoadBalancer Services.
- kind: CiliumNodeConfig
version: v2alpha1
name: ciliumnodeconfigs.cilium.io
displayName: Cilium Node Configuration
description: |
CiliumNodeConfig is a list of configuration key-value pairs. It is applied to
nodes indicated by a label selector.
- kind: CiliumCIDRGroup
version: v2alpha1
name: ciliumcidrgroups.cilium.io
displayName: Cilium CIDR Group
description: |
CiliumCIDRGroup is a list of CIDRs that can be referenced as a single entity from CiliumNetworkPolicies.
- kind: CiliumL2AnnouncementPolicy
version: v2alpha1
name: ciliuml2announcementpolicies.cilium.io
displayName: Cilium L2 Announcement Policy
description: |
CiliumL2AnnouncementPolicy is a policy which determines which service IPs will be announced to
the local area network, by which nodes, and via which interfaces.
- kind: CiliumPodIPPool
version: v2alpha1
name: ciliumpodippools.cilium.io
displayName: Cilium Pod IP Pool
description: |
CiliumPodIPPool defines an IP pool that can be used for pooled IPAM (i.e. the multi-pool IPAM mode).
apiVersion: v2
appVersion: 1.14.4
description: eBPF-based Networking, Security, and Observability
home: https://cilium.io/
icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.14/Documentation/images/logo-solo.svg
keywords:
- BPF
- eBPF
- Kubernetes
- Networking
- Security
- Observability
- Troubleshooting
kubeVersion: '>= 1.16.0-0'
name: cilium
sources:
- https://github.com/cilium/cilium
version: 1.14.4

202
system/cilium/charts/cilium/LICENSE Normal file
View File

@@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} Authors of Cilium
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

741
system/cilium/charts/cilium/README.md Normal file
View File

@@ -0,0 +1,741 @@
# cilium
![Version: 1.14.4](https://img.shields.io/badge/Version-1.14.4-informational?style=flat-square) ![AppVersion: 1.14.4](https://img.shields.io/badge/AppVersion-1.14.4-informational?style=flat-square)
Cilium is open source software for providing and transparently securing
network connectivity and loadbalancing between application workloads such as
application containers or processes. Cilium operates at Layer 3/4 to provide
traditional networking and security services as well as Layer 7 to protect and
secure use of modern application protocols such as HTTP, gRPC and Kafka.
A new Linux kernel technology called eBPF is at the foundation of Cilium.
It supports dynamic insertion of eBPF bytecode into the Linux kernel at various
integration points such as: network IO, application sockets, and tracepoints
to implement security, networking and visibility logic. eBPF is highly
efficient and flexible.
![Cilium feature overview](https://raw.githubusercontent.com/cilium/cilium/main/Documentation/images/cilium_overview.png)
## Prerequisites
* Kubernetes: `>= 1.16.0-0`
* Helm: `>= 3.0`
## Getting Started
Try Cilium on any Kubernetes distribution in under 15 minutes:
| Minikube | Self-Managed K8s | Amazon EKS | Google GKE | Microsoft AKS |
|:-:|:-:|:-:|:-:|:-:|
| [![Minikube](https://raw.githubusercontent.com/cilium/charts/master/images/minikube.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Self-Managed Kubernetes](https://raw.githubusercontent.com/cilium/charts/master/images/k8s.png)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Amazon EKS](https://raw.githubusercontent.com/cilium/charts/master/images/aws.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Google GKE](https://raw.githubusercontent.com/cilium/charts/master/images/google-cloud.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Microsoft AKS](https://raw.githubusercontent.com/cilium/charts/master/images/azure.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) |
Or, for a quick install with the default configuration:
```
$ helm repo add cilium https://helm.cilium.io/
$ helm install cilium cilium/cilium --namespace=kube-system
```
After Cilium is installed, you can explore the features that Cilium has to
offer from the [Getting Started Guides page](https://docs.cilium.io/en/stable/gettingstarted/).
## Source Code
* <https://github.com/cilium/cilium>
## Getting Help
The best way to get help if you get stuck is to ask a question on the
[Cilium Slack channel](https://cilium.herokuapp.com/). With Cilium
contributors across the globe, there is almost always someone available to help.
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| MTU | int | `0` | Configure the underlying network MTU to overwrite auto-detected MTU. |
| affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-agent. |
| agent | bool | `true` | Install the cilium agent resources. |
| agentNotReadyTaintKey | string | `"node.cilium.io/agent-not-ready"` | Configure the key of the taint indicating that Cilium is not ready on the node. When set to a value starting with `ignore-taint.cluster-autoscaler.kubernetes.io/`, the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up. |
| aksbyocni.enabled | bool | `false` | Enable AKS BYOCNI integration. Note that this is incompatible with AKS clusters not created in BYOCNI mode: use Azure integration (`azure.enabled`) instead. |
| alibabacloud.enabled | bool | `false` | Enable AlibabaCloud ENI integration |
| annotateK8sNode | bool | `false` | Annotate k8s node upon initialization with Cilium's metadata. |
| authentication.enabled | bool | `true` | Enable authentication processing and garbage collection. Note that if disabled, policy enforcement will still block requests that require authentication. But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed. |
| authentication.gcInterval | string | `"5m0s"` | Interval for garbage collection of auth map entries. |
| authentication.mutual.port | int | `4250` | Port on the agent where mutual authentication handshakes between agents will be performed |
| authentication.mutual.spire.adminSocketPath | string | `"/run/spire/sockets/admin.sock"` | SPIRE socket path where the SPIRE delegated api agent is listening |
| authentication.mutual.spire.agentSocketPath | string | `"/run/spire/sockets/agent/agent.sock"` | SPIRE socket path where the SPIRE workload agent is listening. Applies to both the Cilium Agent and Operator |
| authentication.mutual.spire.connectionTimeout | string | `"30s"` | SPIRE connection timeout |
| authentication.mutual.spire.enabled | bool | `false` | Enable SPIRE integration (beta) |
| authentication.mutual.spire.install.agent.annotations | object | `{}` | SPIRE agent annotations |
| authentication.mutual.spire.install.agent.image | string | `"ghcr.io/spiffe/spire-agent:1.6.3@sha256:8eef9857bf223181ecef10d9bbcd2f7838f3689e9bd2445bede35066a732e823"` | SPIRE agent image |
| authentication.mutual.spire.install.agent.labels | object | `{}` | SPIRE agent labels |
| authentication.mutual.spire.install.agent.serviceAccount | object | `{"create":true,"name":"spire-agent"}` | SPIRE agent service account |
| authentication.mutual.spire.install.agent.skipKubeletVerification | bool | `true` | SPIRE Workload Attestor kubelet verification. |
| authentication.mutual.spire.install.agent.tolerations | list | `[]` | SPIRE agent tolerations configuration ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
| authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true |
| authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into |
| authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration |
| authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations |
| authentication.mutual.spire.install.server.ca.keyType | string | `"rsa-4096"` | SPIRE CA key type AWS requires the use of RSA. EC cryptography is not supported |
| authentication.mutual.spire.install.server.ca.subject | object | `{"commonName":"Cilium SPIRE CA","country":"US","organization":"SPIRE"}` | SPIRE CA Subject |
| authentication.mutual.spire.install.server.dataStorage.accessMode | string | `"ReadWriteOnce"` | Access mode of the SPIRE server data storage |
| authentication.mutual.spire.install.server.dataStorage.enabled | bool | `true` | Enable SPIRE server data storage |
| authentication.mutual.spire.install.server.dataStorage.size | string | `"1Gi"` | Size of the SPIRE server data storage |
| authentication.mutual.spire.install.server.dataStorage.storageClass | string | `nil` | StorageClass of the SPIRE server data storage |
| authentication.mutual.spire.install.server.image | string | `"ghcr.io/spiffe/spire-server:1.6.3@sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f"` | SPIRE server image |
| authentication.mutual.spire.install.server.initContainers | list | `[]` | SPIRE server init containers |
| authentication.mutual.spire.install.server.labels | object | `{}` | SPIRE server labels |
| authentication.mutual.spire.install.server.nodeSelector | object | `{}` | SPIRE server nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
| authentication.mutual.spire.install.server.service.annotations | object | `{}` | Annotations to be added to the SPIRE server service |
| authentication.mutual.spire.install.server.service.labels | object | `{}` | Labels to be added to the SPIRE server service |
| authentication.mutual.spire.install.server.service.type | string | `"ClusterIP"` | Service type for the SPIRE server service |
| authentication.mutual.spire.install.server.serviceAccount | object | `{"create":true,"name":"spire-server"}` | SPIRE server service account |
| authentication.mutual.spire.install.server.tolerations | list | `[]` | SPIRE server tolerations configuration ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
| authentication.mutual.spire.serverAddress | string | `nil` | SPIRE server address used by Cilium Operator If k8s Service DNS along with port number is used (e.g. <service-name>.<namespace>.svc(.*):<port-number> format), Cilium Operator will resolve its address by looking up the clusterIP from Service resource. Example values: 10.0.0.1:8081, spire-server.cilium-spire.svc:8081 |
| authentication.mutual.spire.trustDomain | string | `"spiffe.cilium"` | SPIFFE trust domain to use for fetching certificates |
| authentication.queueSize | int | `1024` | Buffer size of the channel Cilium uses to receive authentication events from the signal map. |
| authentication.rotatedIdentitiesQueueSize | int | `1024` | Buffer size of the channel Cilium uses to receive certificate expiration events from auth handlers. |
| autoDirectNodeRoutes | bool | `false` | Enable installation of PodCIDR routes between worker nodes if worker nodes share a common L2 network segment. |
| azure.enabled | bool | `false` | Enable Azure integration. Note that this is incompatible with AKS clusters created in BYOCNI mode: use AKS BYOCNI integration (`aksbyocni.enabled`) instead. |
| bandwidthManager | object | `{"bbr":false,"enabled":false}` | Enable bandwidth manager to optimize TCP and UDP workloads and allow for rate-limiting traffic from individual Pods with EDT (Earliest Departure Time) through the "kubernetes.io/egress-bandwidth" Pod annotation. |
| bandwidthManager.bbr | bool | `false` | Activate BBR TCP congestion control for Pods |
| bandwidthManager.enabled | bool | `false` | Enable bandwidth manager infrastructure (also prerequirement for BBR) |
| bgp | object | `{"announce":{"loadbalancerIP":false,"podCIDR":false},"enabled":false}` | Configure BGP |
| bgp.announce.loadbalancerIP | bool | `false` | Enable allocation and announcement of service LoadBalancer IPs |
| bgp.announce.podCIDR | bool | `false` | Enable announcement of node pod CIDR |
| bgp.enabled | bool | `false` | Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside cilium-agent and cilium-operator |
| bgpControlPlane | object | `{"enabled":false}` | This feature set enables virtual BGP routers to be created via CiliumBGPPeeringPolicy CRDs. |
| bgpControlPlane.enabled | bool | `false` | Enables the BGP control plane. |
| bpf.authMapMax | int | `524288` | Configure the maximum number of entries in auth map. |
| bpf.autoMount.enabled | bool | `true` | Enable automatic mount of BPF filesystem When `autoMount` is enabled, the BPF filesystem is mounted at `bpf.root` path on the underlying host and inside the cilium agent pod. If users disable `autoMount`, it's expected that users have mounted bpffs filesystem at the specified `bpf.root` volume, and then the volume will be mounted inside the cilium agent pod at the same path. |
| bpf.ctAnyMax | int | `262144` | Configure the maximum number of entries for the non-TCP connection tracking table. |
| bpf.ctTcpMax | int | `524288` | Configure the maximum number of entries in the TCP connection tracking table. |
| bpf.hostLegacyRouting | bool | `false` | Configure whether direct routing mode should route traffic via host stack (true) or directly and more efficiently out of BPF (false) if the kernel supports it. The latter has the implication that it will also bypass netfilter in the host namespace. |
| bpf.lbExternalClusterIP | bool | `false` | Allow cluster external access to ClusterIP services. |
| bpf.lbMapMax | int | `65536` | Configure the maximum number of service entries in the load balancer maps. |
| bpf.mapDynamicSizeRatio | float64 | `0.0025` | Configure auto-sizing for all BPF maps based on available memory. ref: https://docs.cilium.io/en/stable/network/ebpf/maps/ |
| bpf.masquerade | bool | `false` | Enable native IP masquerade support in eBPF |
| bpf.monitorAggregation | string | `"medium"` | Configure the level of aggregation for monitor notifications. Valid options are none, low, medium, maximum. |
| bpf.monitorFlags | string | `"all"` | Configure which TCP flags trigger notifications when seen for the first time in a connection. |
| bpf.monitorInterval | string | `"5s"` | Configure the typical time between monitor notifications for active connections. |
| bpf.natMax | int | `524288` | Configure the maximum number of entries for the NAT table. |
| bpf.neighMax | int | `524288` | Configure the maximum number of entries for the neighbor table. |
| bpf.policyMapMax | int | `16384` | Configure the maximum number of entries in endpoint policy map (per endpoint). |
| bpf.preallocateMaps | bool | `false` | Enables pre-allocation of eBPF map values. This increases memory usage but can reduce latency. |
| bpf.root | string | `"/sys/fs/bpf"` | Configure the mount point for the BPF filesystem |
| bpf.tproxy | bool | `false` | Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. |
| bpf.vlanBypass | list | `[]` | Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. |
| bpfClockProbe | bool | `false` | Enable BPF clock source probing for more efficient tick retrieval. |
| certgen | object | `{"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. |
| certgen.annotations | object | `{"cronJob":{},"job":{}}` | Annotations to be added to the hubble-certgen initial Job and CronJob |
| certgen.extraVolumeMounts | list | `[]` | Additional certgen volumeMounts. |
| certgen.extraVolumes | list | `[]` | Additional certgen volumes. |
| certgen.podLabels | object | `{}` | Labels to be added to hubble-certgen pods |
| certgen.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
| certgen.ttlSecondsAfterFinished | int | `1800` | Seconds after which the completed job pod will be deleted |
| cgroup | object | `{"autoMount":{"enabled":true,"resources":{}},"hostRoot":"/run/cilium/cgroupv2"}` | Configure cgroup related configuration |
| cgroup.autoMount.enabled | bool | `true` | Enable auto mount of cgroup2 filesystem. When `autoMount` is enabled, cgroup2 filesystem is mounted at `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod. If users disable `autoMount`, it's expected that users have mounted cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the volume will be mounted inside the cilium agent pod at the same path. |
| cgroup.autoMount.resources | object | `{}` | Init Container Cgroup Automount resource limits & requests |
| cgroup.hostRoot | string | `"/run/cilium/cgroupv2"` | Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`) |
| cleanBpfState | bool | `false` | Clean all eBPF datapath state from the initContainer of the cilium-agent DaemonSet. WARNING: Use with care! |
| cleanState | bool | `false` | Clean all local Cilium state from the initContainer of the cilium-agent DaemonSet. Implies cleanBpfState: true. WARNING: Use with care! |
| cluster.id | int | `0` | Unique ID of the cluster. Must be unique across all connected clusters and in the range of 1 to 255. Only required for Cluster Mesh, may be 0 if Cluster Mesh is not used. |
| cluster.name | string | `"default"` | Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. |
| clustermesh.apiserver.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"clustermesh-apiserver"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for clustermesh.apiserver |
| clustermesh.apiserver.etcd.image | object | `{"digest":"sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.4","useDigest":true}` | Clustermesh API server etcd image. |
| clustermesh.apiserver.etcd.init.resources | object | `{}` | Specifies the resources for etcd init container in the apiserver |
| clustermesh.apiserver.etcd.resources | object | `{}` | Specifies the resources for etcd container in the apiserver |
| clustermesh.apiserver.etcd.securityContext | object | `{}` | Security context to be added to clustermesh-apiserver etcd containers |
| clustermesh.apiserver.extraArgs | list | `[]` | Additional clustermesh-apiserver arguments. |
| clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
| clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
| clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
| clustermesh.apiserver.image | object | `{"digest":"sha256:828a74eea2a15c4196633dc50e4b92ba3a5e3ed8418c2a33e255a9281a1ce42f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.4","useDigest":true}` | Clustermesh API server image. |
| clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
| clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
| clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
| clustermesh.apiserver.kvstoremesh.extraVolumeMounts | list | `[]` | Additional KVStoreMesh volumeMounts. |
| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"sha256:492cde62cb2def832b3213211cb99d59bd9fe9789be32a181fb24554077368b0","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.4","useDigest":true}` | KVStoreMesh image. |
| clustermesh.apiserver.kvstoremesh.resources | object | `{}` | Resource requests and limits for the KVStoreMesh container |
| clustermesh.apiserver.kvstoremesh.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | KVStoreMesh Security context |
| clustermesh.apiserver.metrics.enabled | bool | `true` | Enables exporting apiserver metrics in OpenMetrics format. |
| clustermesh.apiserver.metrics.etcd.enabled | bool | `false` | Enables exporting etcd metrics in OpenMetrics format. |
| clustermesh.apiserver.metrics.etcd.mode | string | `"basic"` | Set level of detail for etcd metrics; specify 'extensive' to include server side gRPC histogram metrics. |
| clustermesh.apiserver.metrics.etcd.port | int | `9963` | Configure the port the etcd metric server listens on. |
| clustermesh.apiserver.metrics.kvstoremesh.enabled | bool | `true` | Enables exporting KVStoreMesh metrics in OpenMetrics format. |
| clustermesh.apiserver.metrics.kvstoremesh.port | int | `9964` | Configure the port the KVStoreMesh metric server listens on. |
| clustermesh.apiserver.metrics.port | int | `9962` | Configure the port the apiserver metric server listens on. |
| clustermesh.apiserver.metrics.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor clustermesh-apiserver |
| clustermesh.apiserver.metrics.serviceMonitor.enabled | bool | `false` | Enable service monitor. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) |
| clustermesh.apiserver.metrics.serviceMonitor.etcd.interval | string | `"10s"` | Interval for scrape metrics (etcd metrics) |
| clustermesh.apiserver.metrics.serviceMonitor.etcd.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) |
| clustermesh.apiserver.metrics.serviceMonitor.etcd.relabelings | string | `nil` | Relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) |
| clustermesh.apiserver.metrics.serviceMonitor.interval | string | `"10s"` | Interval for scrape metrics (apiserver metrics) |
| clustermesh.apiserver.metrics.serviceMonitor.kvstoremesh.interval | string | `"10s"` | Interval for scrape metrics (KVStoreMesh metrics) |
| clustermesh.apiserver.metrics.serviceMonitor.kvstoremesh.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics) |
| clustermesh.apiserver.metrics.serviceMonitor.kvstoremesh.relabelings | string | `nil` | Relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics) |
| clustermesh.apiserver.metrics.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor clustermesh-apiserver |
| clustermesh.apiserver.metrics.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics) |
| clustermesh.apiserver.metrics.serviceMonitor.relabelings | string | `nil` | Relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics) |
| clustermesh.apiserver.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
| clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods |
| clustermesh.apiserver.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| clustermesh.apiserver.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number/percentage of pods that may be made unavailable |
| clustermesh.apiserver.podDisruptionBudget.minAvailable | string | `nil` | Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by `maxUnavailable: null` |
| clustermesh.apiserver.podLabels | object | `{}` | Labels to be added to clustermesh-apiserver pods |
| clustermesh.apiserver.podSecurityContext | object | `{}` | Security context to be added to clustermesh-apiserver pods |
| clustermesh.apiserver.priorityClassName | string | `""` | The priority class to use for clustermesh-apiserver |
| clustermesh.apiserver.replicas | int | `1` | Number of replicas run for the clustermesh-apiserver deployment. |
| clustermesh.apiserver.resources | object | `{}` | Resource requests and limits for the clustermesh-apiserver |
| clustermesh.apiserver.securityContext | object | `{}` | Security context to be added to clustermesh-apiserver containers |
| clustermesh.apiserver.service.annotations | object | `{}` | Annotations for the clustermesh-apiserver For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal" For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 |
| clustermesh.apiserver.service.externalTrafficPolicy | string | `nil` | The externalTrafficPolicy of service used for apiserver access. |
| clustermesh.apiserver.service.internalTrafficPolicy | string | `nil` | The internalTrafficPolicy of service used for apiserver access. |
| clustermesh.apiserver.service.nodePort | int | `32379` | Optional port to use as the node port for apiserver access. WARNING: make sure to configure a different NodePort in each cluster if kube-proxy replacement is enabled, as Cilium is currently affected by a known bug (#24692) when NodePorts are handled by the KPR implementation. If a service with the same NodePort exists both in the local and the remote cluster, all traffic originating from inside the cluster and targeting the corresponding NodePort will be redirected to a local backend, regardless of whether the destination node belongs to the local or the remote cluster. |
| clustermesh.apiserver.service.type | string | `"NodePort"` | The type of service used for apiserver access. |
| clustermesh.apiserver.tls.admin | object | `{"cert":"","key":""}` | base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key. Used if 'auto' is not enabled. |
| clustermesh.apiserver.tls.authMode | string | `"legacy"` | Configure the clustermesh authentication mode. Supported values: - legacy: All clusters access remote clustermesh instances with the same username (i.e., remote). The "remote" certificate must be generated with CN=remote if provided manually. - migration: Intermediate mode required to upgrade from legacy to cluster (and vice versa) with no disruption. Specifically, it enables the creation of the per-cluster usernames, while still using the common one for authentication. The "remote" certificate must be generated with CN=remote if provided manually (same as legacy). - cluster: Each cluster accesses remote etcd instances with a username depending on the local cluster name (i.e., remote-<cluster-name>). The "remote" certificate must be generated with CN=remote-<cluster-name> if provided manually. Cluster mode is meaningful only when the same CA is shared across all clusters part of the mesh. |
| clustermesh.apiserver.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm"}` | Configure automatic TLS certificates generation. A Kubernetes CronJob is used the generate any certificates not provided by the user at installation time. |
| clustermesh.apiserver.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. |
| clustermesh.apiserver.tls.auto.certValidityDuration | int | `1095` | Generated certificates validity duration in days. |
| clustermesh.apiserver.tls.auto.enabled | bool | `true` | When set to true, automatically generate a CA and certificates to enable mTLS between clustermesh-apiserver and external workload instances. If set to false, the certs to be provided by setting appropriate values below. |
| clustermesh.apiserver.tls.ca | object | `{"cert":"","key":""}` | Deprecated in favor of tls.ca. To be removed in 1.15. base64 encoded PEM values for the ExternalWorkload CA certificate and private key. |
| clustermesh.apiserver.tls.ca.cert | string | `""` | Deprecated in favor of tls.ca.cert. To be removed in 1.15. Optional CA cert. If it is provided, it will be used by the 'cronJob' method to generate all other certificates. Otherwise, an ephemeral CA is generated. |
| clustermesh.apiserver.tls.ca.key | string | `""` | Deprecated in favor of tls.ca.key. To be removed in 1.15. Optional CA private key. If it is provided, it will be used by the 'cronJob' method to generate all other certificates. Otherwise, an ephemeral CA is generated. |
| clustermesh.apiserver.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values for the clustermesh-apiserver client certificate and private key. Used if 'auto' is not enabled. |
| clustermesh.apiserver.tls.remote | object | `{"cert":"","key":""}` | base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key. Used if 'auto' is not enabled. |
| clustermesh.apiserver.tls.server | object | `{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}` | base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. Used if 'auto' is not enabled. |
| clustermesh.apiserver.tls.server.extraDnsNames | list | `[]` | Extra DNS names added to certificate when it's auto generated |
| clustermesh.apiserver.tls.server.extraIpAddresses | list | `[]` | Extra IP addresses added to certificate when it's auto generated |
| clustermesh.apiserver.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
| clustermesh.apiserver.topologySpreadConstraints | list | `[]` | Pod topology spread constraints for clustermesh-apiserver |
| clustermesh.apiserver.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | clustermesh-apiserver update strategy |
| clustermesh.config | object | `{"clusters":[],"domain":"mesh.cilium.io","enabled":false}` | Clustermesh explicit configuration. |
| clustermesh.config.clusters | list | `[]` | List of clusters to be peered in the mesh. |
| clustermesh.config.domain | string | `"mesh.cilium.io"` | Default dns domain for the Clustermesh API servers This is used in the case cluster addresses are not provided and IPs are used. |
| clustermesh.config.enabled | bool | `false` | Enable the Clustermesh explicit configuration. |
| clustermesh.useAPIServer | bool | `false` | Deploy clustermesh-apiserver for clustermesh |
| cni.binPath | string | `"/opt/cni/bin"` | Configure the path to the CNI binary directory on the host. |
| cni.chainingMode | string | `nil` | Configure chaining on top of other CNI plugins. Possible values: - none - aws-cni - flannel - generic-veth - portmap |
| cni.chainingTarget | string | `nil` | A CNI network name in to which the Cilium plugin should be added as a chained plugin. This will cause the agent to watch for a CNI network with this network name. When it is found, this will be used as the basis for Cilium's CNI configuration file. If this is set, it assumes a chaining mode of generic-veth. As a special case, a chaining mode of aws-cni implies a chainingTarget of aws-cni. |
| cni.confFileMountPath | string | `"/tmp/cni-configuration"` | Configure the path to where to mount the ConfigMap inside the agent pod. |
| cni.confPath | string | `"/etc/cni/net.d"` | Configure the path to the CNI configuration directory on the host. |
| cni.configMapKey | string | `"cni-config"` | Configure the key in the CNI ConfigMap to read the contents of the CNI configuration from. |
| cni.customConf | bool | `false` | Skip writing of the CNI configuration. This can be used if writing of the CNI configuration is performed by external automation. |
| cni.exclusive | bool | `true` | Make Cilium take ownership over the `/etc/cni/net.d` directory on the node, renaming all non-Cilium CNI configurations to `*.cilium_bak`. This ensures no Pods can be scheduled using other CNI plugins during Cilium agent downtime. |
| cni.hostConfDirMountPath | string | `"/host/etc/cni/net.d"` | Configure the path to where the CNI configuration directory is mounted inside the agent pod. |
| cni.install | bool | `true` | Install the CNI configuration and binary files into the filesystem. |
| cni.logFile | string | `"/var/run/cilium/cilium-cni.log"` | Configure the log file for CNI logging with retention policy of 7 days. Disable CNI file logging by setting this field to empty explicitly. |
| cni.uninstall | bool | `false` | Remove the CNI configuration and binary files on agent shutdown. Enable this if you're removing Cilium from the cluster. Disable this to prevent the CNI configuration file from being removed during agent upgrade, which can cause nodes to go unmanageable. |
| conntrackGCInterval | string | `"0s"` | Configure how frequently garbage collection should occur for the datapath connection tracking table. |
| conntrackGCMaxInterval | string | `""` | Configure the maximum frequency for the garbage collection of the connection tracking table. Only affects the automatic computation for the frequency and has no effect when 'conntrackGCInterval' is set. This can be set to more frequently clean up unused identities created from ToFQDN policies. |
| containerRuntime | object | `{"integration":"none"}` | Configure container runtime specific integration. Deprecated in favor of bpf.autoMount.enabled. To be removed in 1.15. |
| containerRuntime.integration | string | `"none"` | Enables specific integrations for container runtimes. Supported values: - crio - none |
| crdWaitTimeout | string | `"5m"` | Configure timeout in which Cilium will exit if CRDs are not available |
| customCalls | object | `{"enabled":false}` | Tail call hooks for custom eBPF programs. |
| customCalls.enabled | bool | `false` | Enable tail call hooks for custom eBPF programs. |
| daemon.allowedConfigOverrides | string | `nil` | allowedConfigOverrides is a list of config-map keys that can be overridden. That is to say, if this value is set, config sources (excepting the first one) can only override keys in this list. This takes precedence over blockedConfigOverrides. By default, all keys may be overridden. To disable overrides, set this to "none" or change the configSources variable. |
| daemon.blockedConfigOverrides | string | `nil` | blockedConfigOverrides is a list of config-map keys that may not be overridden. In other words, if any of these keys appear in a configuration source excepting the first one, they will be ignored This is ignored if allowedConfigOverrides is set. By default, all keys may be overridden. |
| daemon.configSources | string | `nil` | Configure a custom list of possible configuration override sources The default is "config-map:cilium-config,cilium-node-config". For supported values, see the help text for the build-config subcommand. Note that this value should be a comma-separated string. |
| daemon.runPath | string | `"/var/run/cilium"` | Configure where Cilium runtime state should be stored. |
| dashboards | object | `{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}` | Grafana dashboards for cilium-agent grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards |
| debug.enabled | bool | `false` | Enable debug logging |
| debug.verbose | string | `nil` | Configure verbosity levels for debug logging This option is used to enable debug messages for operations related to such sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is for enabling debug messages emitted per request, message and connection. Applicable values: - flow - kvstore - envoy - datapath - policy |
| disableEndpointCRD | bool | `false` | Disable the usage of CiliumEndpoint CRD. |
| dnsPolicy | string | `""` | DNS policy for Cilium agent pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy |
| dnsProxy.dnsRejectResponseCode | string | `"refused"` | DNS response code for rejecting DNS requests, available options are '[nameError refused]'. |
| dnsProxy.enableDnsCompression | bool | `true` | Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present. |
| dnsProxy.endpointMaxIpPerHostname | int | `50` | Maximum number of IPs to maintain per FQDN name for each endpoint. |
| dnsProxy.idleConnectionGracePeriod | string | `"0s"` | Time during which idle but previously active connections with expired DNS lookups are still considered alive. |
| dnsProxy.maxDeferredConnectionDeletes | int | `10000` | Maximum number of IPs to retain for expired DNS lookups with still-active connections. |
| dnsProxy.minTtl | int | `0` | The minimum time, in seconds, to use DNS data for toFQDNs policies. If the upstream DNS server returns a DNS record with a shorter TTL, Cilium overwrites the TTL with this value. Setting this value to zero means that Cilium will honor the TTLs returned by the upstream DNS server. |
| dnsProxy.preCache | string | `""` | DNS cache data at this path is preloaded on agent startup. |
| dnsProxy.proxyPort | int | `0` | Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. |
| dnsProxy.proxyResponseMaxDelay | string | `"100ms"` | The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. |
| egressGateway | object | `{"enabled":false,"installRoutes":false,"reconciliationTriggerInterval":"1s"}` | Enables egress gateway to redirect and SNAT the traffic that leaves the cluster. |
| egressGateway.installRoutes | bool | `false` | Install egress gateway IP rules and routes in order to properly steer egress gateway traffic to the correct ENI interface |
| egressGateway.reconciliationTriggerInterval | string | `"1s"` | Time between triggers of egress gateway state reconciliations |
| enableCiliumEndpointSlice | bool | `false` | Enable CiliumEndpointSlice feature. |
| enableCnpStatusUpdates | bool | `false` | Whether to enable CNP status updates. |
| enableCriticalPriorityClass | bool | `true` | Explicitly enable or disable priority class. .Capabilities.KubeVersion is unsettable in `helm template` calls, it depends on k8s libraries version that Helm was compiled against. This option allows to explicitly disable setting the priority class, which is useful for rendering charts for gke clusters in advance. |
| enableIPv4BIGTCP | bool | `false` | Enables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods |
| enableIPv4Masquerade | bool | `true` | Enables masquerading of IPv4 traffic leaving the node from endpoints. |
| enableIPv6BIGTCP | bool | `false` | Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods |
| enableIPv6Masquerade | bool | `true` | Enables masquerading of IPv6 traffic leaving the node from endpoints. |
| enableK8sEventHandover | bool | `false` | Configures the use of the KVStore to optimize Kubernetes event handling by mirroring it into the KVstore for reduced overhead in large clusters. |
| enableK8sTerminatingEndpoint | bool | `true` | Configure whether to enable auto detect of terminating state for endpoints in order to support graceful termination. |
| enableRuntimeDeviceDetection | bool | `false` | Enables experimental support for the detection of new and removed datapath devices. When devices change the eBPF datapath is reloaded and services updated. If "devices" is set then only those devices, or devices matching a wildcard will be considered. |
| enableXTSocketFallback | bool | `true` | Enables the fallback compatibility solution for when the xt_socket kernel module is missing and it is needed for the datapath L7 redirection to work properly. See documentation for details on when this can be disabled: https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. |
| encryption.enabled | bool | `false` | Enable transparent network encryption. |
| encryption.interface | string | `""` | Deprecated in favor of encryption.ipsec.interface. To be removed in 1.15. The interface to use for encrypted traffic. This option is only effective when encryption.type is set to ipsec. |
| encryption.ipsec.interface | string | `""` | The interface to use for encrypted traffic. |
| encryption.ipsec.keyFile | string | `""` | Name of the key file inside the Kubernetes secret configured via secretName. |
| encryption.ipsec.keyRotationDuration | string | `"5m"` | Maximum duration of the IPsec key rotation. The previous key will be removed after that delay. |
| encryption.ipsec.keyWatcher | bool | `true` | Enable the key watcher. If disabled, a restart of the agent will be necessary on key rotations. |
| encryption.ipsec.mountPath | string | `""` | Path to mount the secret inside the Cilium pod. |
| encryption.ipsec.secretName | string | `""` | Name of the Kubernetes secret containing the encryption keys. |
| encryption.keyFile | string | `"keys"` | Deprecated in favor of encryption.ipsec.keyFile. To be removed in 1.15. Name of the key file inside the Kubernetes secret configured via secretName. This option is only effective when encryption.type is set to ipsec. |
| encryption.mountPath | string | `"/etc/ipsec"` | Deprecated in favor of encryption.ipsec.mountPath. To be removed in 1.15. Path to mount the secret inside the Cilium pod. This option is only effective when encryption.type is set to ipsec. |
| encryption.nodeEncryption | bool | `false` | Enable encryption for pure node to node traffic. This option is only effective when encryption.type is set to "wireguard". |
| encryption.secretName | string | `"cilium-ipsec-keys"` | Deprecated in favor of encryption.ipsec.secretName. To be removed in 1.15. Name of the Kubernetes secret containing the encryption keys. This option is only effective when encryption.type is set to ipsec. |
| encryption.type | string | `"ipsec"` | Encryption method. Can be either ipsec or wireguard. |
| encryption.wireguard.userspaceFallback | bool | `false` | Enables the fallback to the user-space implementation. |
| endpointHealthChecking.enabled | bool | `true` | Enable connectivity health checking between virtual endpoints. |
| endpointRoutes.enabled | bool | `false` | Enable use of per endpoint routes instead of routing via the cilium_host interface. |
| endpointStatus | object | `{"enabled":false,"status":""}` | Enable endpoint status. Status can be: policy, health, controllers, log and / or state. For 2 or more options use a space. |
| eni.awsEnablePrefixDelegation | bool | `false` | Enable ENI prefix delegation |
| eni.awsReleaseExcessIPs | bool | `false` | Release IPs not used from the ENI |
| eni.ec2APIEndpoint | string | `""` | EC2 API endpoint to use |
| eni.enabled | bool | `false` | Enable Elastic Network Interface (ENI) integration. |
| eni.eniTags | object | `{}` | Tags to apply to the newly created ENIs |
| eni.gcInterval | string | `"5m"` | Interval for garbage collection of unattached ENIs. Set to "0s" to disable. |
| eni.gcTags | object | `{"io.cilium/cilium-managed":"true,"io.cilium/cluster-name":"<auto-detected>"}` | Additional tags attached to ENIs created by Cilium. Dangling ENIs with this tag will be garbage collected |
| eni.iamRole | string | `""` | If using IAM role for Service Accounts will not try to inject identity values from cilium-aws kubernetes secret. Adds annotation to service account if managed by Helm. See https://github.com/aws/amazon-eks-pod-identity-webhook |
| eni.instanceTagsFilter | list | `[]` | Filter via AWS EC2 Instance tags (k=v) which will dictate which AWS EC2 Instances are going to be used to create new ENIs |
| eni.subnetIDsFilter | list | `[]` | Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. |
| eni.subnetTagsFilter | list | `[]` | Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. |
| eni.updateEC2AdapterLimitViaAPI | bool | `true` | Update ENI Adapter limits from the EC2 API |
| envoy.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-envoy. |
| envoy.connectTimeoutSeconds | int | `2` | Time in seconds after which a TCP connection attempt times out |
| envoy.dnsPolicy | string | `nil` | DNS policy for Cilium envoy pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy |
| envoy.enabled | bool | `false` | Enable Envoy Proxy in standalone DaemonSet. |
| envoy.extraArgs | list | `[]` | Additional envoy container arguments. |
| envoy.extraContainers | list | `[]` | Additional containers added to the cilium Envoy DaemonSet. |
| envoy.extraEnv | list | `[]` | Additional envoy container environment variables. |
| envoy.extraHostPathMounts | list | `[]` | Additional envoy hostPath mounts. |
| envoy.extraVolumeMounts | list | `[]` | Additional envoy volumeMounts. |
| envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
| envoy.healthPort | int | `9878` | TCP port for the health API. |
| envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
| envoy.image | object | `{"digest":"sha256:6b0f2591fef922bf17a46517d5152ea7d6270524bb0e307c77986986677dbcea","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.6-ff0d5d3f77d610040e93c7c7a430d61a0c0b90c1","useDigest":true}` | Envoy container image. |
| envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
| envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
| envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. |
| envoy.log.path | string | `""` | Path to a separate Envoy log file, if any. Defaults to /dev/stdout. |
| envoy.maxConnectionDurationSeconds | int | `0` | Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable) |
| envoy.maxRequestsPerConnection | int | `0` | ProxyMaxRequestsPerConnection specifies the max_requests_per_connection setting for Envoy |
| envoy.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for cilium-envoy. |
| envoy.podAnnotations | object | `{}` | Annotations to be added to envoy pods |
| envoy.podLabels | object | `{}` | Labels to be added to envoy pods |
| envoy.podSecurityContext | object | `{}` | Security Context for cilium-envoy pods. |
| envoy.priorityClassName | string | `nil` | The priority class to use for cilium-envoy. |
| envoy.prometheus.enabled | bool | `true` | Enable prometheus metrics for cilium-envoy |
| envoy.prometheus.port | string | `"9964"` | Serve prometheus metrics for cilium-envoy on the configured port |
| envoy.prometheus.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor cilium-envoy |
| envoy.prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) |
| envoy.prometheus.serviceMonitor.interval | string | `"10s"` | Interval for scrape metrics. |
| envoy.prometheus.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor cilium-envoy |
| envoy.prometheus.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor cilium-envoy |
| envoy.prometheus.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor cilium-envoy |
| envoy.readinessProbe.failureThreshold | int | `3` | failure threshold of readiness probe |
| envoy.readinessProbe.periodSeconds | int | `30` | interval between checks of the readiness probe |
| envoy.resources | object | `{}` | Envoy resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| envoy.rollOutPods | bool | `false` | Roll out cilium envoy pods automatically when configmap is updated. |
| envoy.securityContext.capabilities.envoy | list | `["NET_ADMIN","SYS_ADMIN"]` | Capabilities for the `cilium-envoy` container |
| envoy.securityContext.privileged | bool | `false` | Run the pod with elevated privileges |
| envoy.securityContext.seLinuxOptions | object | `{"level":"s0","type":"spc_t"}` | SELinux options for the `cilium-envoy` container |
| envoy.startupProbe.failureThreshold | int | `105` | failure threshold of startup probe. 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) |
| envoy.startupProbe.periodSeconds | int | `2` | interval between checks of the startup probe |
| envoy.terminationGracePeriodSeconds | int | `1` | Configure termination grace period for cilium-envoy DaemonSet. |
| envoy.tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for envoy scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
| envoy.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}` | cilium-envoy update strategy ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/#updating-a-daemonset |
| envoyConfig.enabled | bool | `false` | Enable CiliumEnvoyConfig CRD CiliumEnvoyConfig CRD can also be implicitly enabled by other options. |
| envoyConfig.secretsNamespace | object | `{"create":true,"name":"cilium-secrets"}` | SecretsNamespace is the namespace in which envoy SDS will retrieve secrets from. |
| envoyConfig.secretsNamespace.create | bool | `true` | Create secrets namespace for CiliumEnvoyConfig CRDs. |
| envoyConfig.secretsNamespace.name | string | `"cilium-secrets"` | The name of the secret namespace to which Cilium agents are given read access. |
| etcd.clusterDomain | string | `"cluster.local"` | Cluster domain for cilium-etcd-operator. |
| etcd.enabled | bool | `false` | Enable etcd mode for the agent. |
| etcd.endpoints | list | `["https://CHANGE-ME:2379"]` | List of etcd endpoints (not needed when using managed=true). |
| etcd.extraArgs | list | `[]` | Additional cilium-etcd-operator container arguments. |
| etcd.extraVolumeMounts | list | `[]` | Additional cilium-etcd-operator volumeMounts. |
| etcd.extraVolumes | list | `[]` | Additional cilium-etcd-operator volumes. |
| etcd.image | object | `{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}` | cilium-etcd-operator image. |
| etcd.k8sService | bool | `false` | If etcd is behind a k8s service set this option to true so that Cilium does the service translation automatically without requiring a DNS to be running. |
| etcd.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-etcd-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
| etcd.podAnnotations | object | `{}` | Annotations to be added to cilium-etcd-operator pods |
| etcd.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| etcd.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number/percentage of pods that may be made unavailable |
| etcd.podDisruptionBudget.minAvailable | string | `nil` | Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by `maxUnavailable: null` |
| etcd.podLabels | object | `{}` | Labels to be added to cilium-etcd-operator pods |
| etcd.podSecurityContext | object | `{}` | Security context to be added to cilium-etcd-operator pods |
| etcd.priorityClassName | string | `""` | The priority class to use for cilium-etcd-operator |
| etcd.resources | object | `{}` | cilium-etcd-operator resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| etcd.securityContext | object | `{}` | Security context to be added to cilium-etcd-operator pods |
| etcd.ssl | bool | `false` | Enable use of TLS/SSL for connectivity to etcd. (auto-enabled if managed=true) |
| etcd.tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for cilium-etcd-operator scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
| etcd.topologySpreadConstraints | list | `[]` | Pod topology spread constraints for cilium-etcd-operator |
| etcd.updateStrategy | object | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":1},"type":"RollingUpdate"}` | cilium-etcd-operator update strategy |
| externalIPs.enabled | bool | `false` | Enable ExternalIPs service support. |
| externalWorkloads | object | `{"enabled":false}` | Configure external workloads support |
| externalWorkloads.enabled | bool | `false` | Enable support for external workloads, such as VMs (false by default). |
| extraArgs | list | `[]` | Additional agent container arguments. |
| extraConfig | object | `{}` | extraConfig allows you to specify additional configuration parameters to be included in the cilium-config configmap. |
| extraContainers | list | `[]` | Additional containers added to the cilium DaemonSet. |
| extraEnv | list | `[]` | Additional agent container environment variables. |
| extraHostPathMounts | list | `[]` | Additional agent hostPath mounts. |
| extraVolumeMounts | list | `[]` | Additional agent volumeMounts. |
| extraVolumes | list | `[]` | Additional agent volumes. |
| gatewayAPI.enabled | bool | `false` | Enable support for Gateway API in cilium This will automatically set enable-envoy-config as well. |
| gatewayAPI.secretsNamespace | object | `{"create":true,"name":"cilium-secrets","sync":true}` | SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. |
| gatewayAPI.secretsNamespace.create | bool | `true` | Create secrets namespace for Gateway API. |
| gatewayAPI.secretsNamespace.name | string | `"cilium-secrets"` | Name of Gateway API secret namespace. |
| gatewayAPI.secretsNamespace.sync | bool | `true` | Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. If disabled, TLS secrets must be maintained externally. |
| gke.enabled | bool | `false` | Enable Google Kubernetes Engine integration |
| healthChecking | bool | `true` | Enable connectivity health checking. |
| healthPort | int | `9879` | TCP port for the agent health API. This is not the port for cilium-health. |
| highScaleIPcache | object | `{"enabled":false}` | EnableHighScaleIPcache enables the special ipcache mode for high scale clusters. The ipcache content will be reduced to the strict minimum and traffic will be encapsulated to carry security identities. |
| highScaleIPcache.enabled | bool | `false` | Enable the high scale mode for the ipcache. |
| hostFirewall | object | `{"enabled":false}` | Configure the host firewall. |
| hostFirewall.enabled | bool | `false` | Enables the enforcement of host policies in the eBPF datapath. |
| hostPort.enabled | bool | `false` | Enable hostPort service support. |
| hubble.enabled | bool | `true` | Enable Hubble (true by default). |
| hubble.listenAddress | string | `":4244"` | An additional address for Hubble to listen to. Set this field ":4244" if you are enabling Hubble Relay, as it assumes that Hubble is listening on port 4244. |
| hubble.metrics | object | `{"dashboards":{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null},"enableOpenMetrics":false,"enabled":null,"port":9965,"serviceAnnotations":{},"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]}}` | Hubble metrics configuration. See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics for more comprehensive documentation about Hubble metrics. |
| hubble.metrics.dashboards | object | `{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}` | Grafana dashboards for hubble grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards |
| hubble.metrics.enableOpenMetrics | bool | `false` | Enables exporting hubble metrics in OpenMetrics format. |
| hubble.metrics.enabled | string | `nil` | Configures the list of metrics to collect. If empty or null, metrics are disabled. Example: enabled: - dns:query;ignoreAAAA - drop - tcp - flow - icmp - http You can specify the list of metrics from the helm CLI: --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" |
| hubble.metrics.port | int | `9965` | Configure the port the hubble metric server listens on. |
| hubble.metrics.serviceAnnotations | object | `{}` | Annotations to be added to hubble-metrics service. |
| hubble.metrics.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor hubble |
| hubble.metrics.serviceMonitor.enabled | bool | `false` | Create ServiceMonitor resources for Prometheus Operator. This requires the prometheus CRDs to be available. ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) |
| hubble.metrics.serviceMonitor.interval | string | `"10s"` | Interval for scrape metrics. |
| hubble.metrics.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor hubble |
| hubble.metrics.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor hubble |
| hubble.metrics.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor hubble |
| hubble.peerService.clusterDomain | string | `"cluster.local"` | The cluster domain to use to query the Hubble Peer service. It should be the local cluster. |
| hubble.peerService.targetPort | int | `4244` | Target Port for the Peer service, must match the hubble.listenAddress' port. |
| hubble.preferIpv6 | bool | `false` | Whether Hubble should prefer to announce IPv6 or IPv4 addresses if both are available. |
| hubble.relay.affinity | object | `{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for hubble-replay |
| hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). |
| hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) |
| hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. |
| hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
| hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
| hubble.relay.image | object | `{"digest":"sha256:ca81622fd9f04c1316bf4144bde5dbce613758810f6022f6c706b14c9c0815db","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.4","useDigest":true}` | Hubble-relay container image. |
| hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
| hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
| hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
| hubble.relay.podAnnotations | object | `{}` | Annotations to be added to hubble-relay pods |
| hubble.relay.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| hubble.relay.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number/percentage of pods that may be made unavailable |
| hubble.relay.podDisruptionBudget.minAvailable | string | `nil` | Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by `maxUnavailable: null` |
| hubble.relay.podLabels | object | `{}` | Labels to be added to hubble-relay pods |
| hubble.relay.podSecurityContext | object | `{"fsGroup":65532}` | hubble-relay pod security context |
| hubble.relay.pprof.address | string | `"localhost"` | Configure pprof listen address for hubble-relay |
| hubble.relay.pprof.enabled | bool | `false` | Enable pprof for hubble-relay |
| hubble.relay.pprof.port | int | `6062` | Configure pprof listen port for hubble-relay |
| hubble.relay.priorityClassName | string | `""` | The priority class to use for hubble-relay |
| hubble.relay.prometheus | object | `{"enabled":false,"port":9966,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":null}}` | Enable prometheus metrics for hubble-relay on the configured port at /metrics |
| hubble.relay.prometheus.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor hubble-relay |
| hubble.relay.prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) |
| hubble.relay.prometheus.serviceMonitor.interval | string | `"10s"` | Interval for scrape metrics. |
| hubble.relay.prometheus.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor hubble-relay |
| hubble.relay.prometheus.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor hubble-relay |
| hubble.relay.prometheus.serviceMonitor.relabelings | string | `nil` | Relabeling configs for the ServiceMonitor hubble-relay |
| hubble.relay.replicas | int | `1` | Number of replicas run for the hubble-relay deployment. |
| hubble.relay.resources | object | `{}` | Specifies the resources for the hubble-relay pods |
| hubble.relay.retryTimeout | string | `nil` | Backoff duration to retry connecting to the local hubble instance in case of failure (e.g. "30s"). |
| hubble.relay.rollOutPods | bool | `false` | Roll out Hubble Relay pods automatically when configmap is updated. |
| hubble.relay.securityContext | object | `{"capabilities":{"drop":["ALL"]},"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532}` | hubble-relay container security context |
| hubble.relay.service | object | `{"nodePort":31234,"type":"ClusterIP"}` | hubble-relay service configuration. |
| hubble.relay.service.nodePort | int | `31234` | - The port to use when the service type is set to NodePort. |
| hubble.relay.service.type | string | `"ClusterIP"` | - The type of service used for Hubble Relay access, either ClusterIP or NodePort. |
| hubble.relay.sortBufferDrainTimeout | string | `nil` | When the per-request flows sort buffer is not full, a flow is drained every time this timeout is reached (only affects requests in follow-mode) (e.g. "1s"). |
| hubble.relay.sortBufferLenMax | string | `nil` | Max number of flows that can be buffered for sorting before being sent to the client (per request) (e.g. 100). |
| hubble.relay.terminationGracePeriodSeconds | int | `1` | Configure termination grace period for hubble relay Deployment. |
| hubble.relay.tls | object | `{"client":{"cert":"","key":""},"server":{"cert":"","enabled":false,"extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false}}` | TLS configuration for Hubble Relay |
| hubble.relay.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values for the hubble-relay client certificate and private key This keypair is presented to Hubble server instances for mTLS authentication and is required when hubble.tls.enabled is true. These values need to be set manually if hubble.tls.auto.enabled is false. |
| hubble.relay.tls.server | object | `{"cert":"","enabled":false,"extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false}` | base64 encoded PEM values for the hubble-relay server certificate and private key |
| hubble.relay.tls.server.extraDnsNames | list | `[]` | extra DNS names added to certificate when its auto gen |
| hubble.relay.tls.server.extraIpAddresses | list | `[]` | extra IP addresses added to certificate when its auto gen |
| hubble.relay.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
| hubble.relay.topologySpreadConstraints | list | `[]` | Pod topology spread constraints for hubble-relay |
| hubble.relay.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-relay update strategy |
| hubble.skipUnknownCGroupIDs | bool | `true` | Skip Hubble events with unknown cgroup ids |
| hubble.socketPath | string | `"/var/run/cilium/hubble.sock"` | Unix domain socket path to listen to when Hubble is enabled. |
| hubble.tls | object | `{"auto":{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"},"enabled":true,"server":{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}}` | TLS configuration for Hubble |
| hubble.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"}` | Configure automatic TLS certificates generation. |
| hubble.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when hubble.tls.auto.method=certmanager. |
| hubble.tls.auto.certValidityDuration | int | `1095` | Generated certificates validity duration in days. |
| hubble.tls.auto.enabled | bool | `true` | Auto-generate certificates. When set to true, automatically generate a CA and certificates to enable mTLS between Hubble server and Hubble Relay instances. If set to false, the certs for Hubble server need to be provided by setting appropriate values below. |
| hubble.tls.auto.method | string | `"helm"` | Set the method to auto-generate certificates. Supported values: - helm: This method uses Helm to generate all certificates. - cronJob: This method uses a Kubernetes CronJob the generate any certificates not provided by the user at installation time. - certmanager: This method use cert-manager to generate & rotate certificates. |
| hubble.tls.auto.schedule | string | `"0 0 1 */4 *"` | Schedule for certificates regeneration (regardless of their expiration date). Only used if method is "cronJob". If nil, then no recurring job will be created. Instead, only the one-shot job is deployed to generate the certificates at installation time. Defaults to midnight of the first day of every fourth month. For syntax, see https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax |
| hubble.tls.enabled | bool | `true` | Enable mutual TLS for listenAddress. Setting this value to false is highly discouraged as the Hubble API provides access to potentially sensitive network flow metadata and is exposed on the host network. |
| hubble.tls.server | object | `{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}` | base64 encoded PEM values for the Hubble server certificate and private key |
| hubble.tls.server.extraDnsNames | list | `[]` | Extra DNS names added to certificate when it's auto generated |
| hubble.tls.server.extraIpAddresses | list | `[]` | Extra IP addresses added to certificate when it's auto generated |
| hubble.ui.affinity | object | `{}` | Affinity for hubble-ui |
| hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. |
| hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. |
| hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. |
| hubble.ui.backend.image | object | `{"digest":"sha256:1f86f3400827a0451e6332262467f894eeb7caf0eb8779bd951e2caa9d027cbe","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.12.1","useDigest":true}` | Hubble-ui backend image. |
| hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. |
| hubble.ui.backend.securityContext | object | `{}` | Hubble-ui backend security context. |
| hubble.ui.baseUrl | string | `"/"` | Defines base url prefix for all hubble-ui http requests. It needs to be changed in case if ingress for hubble-ui is configured under some sub-path. Trailing `/` is required for custom path, ex. `/service-map/` |
| hubble.ui.enabled | bool | `false` | Whether to enable the Hubble UI. |
| hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. |
| hubble.ui.frontend.extraVolumeMounts | list | `[]` | Additional hubble-ui frontend volumeMounts. |
| hubble.ui.frontend.extraVolumes | list | `[]` | Additional hubble-ui frontend volumes. |
| hubble.ui.frontend.image | object | `{"digest":"sha256:9e5f81ee747866480ea1ac4630eb6975ff9227f9782b7c93919c081c33f38267","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.12.1","useDigest":true}` | Hubble-ui frontend image. |
| hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. |
| hubble.ui.frontend.securityContext | object | `{}` | Hubble-ui frontend security context. |
| hubble.ui.frontend.server.ipv6 | object | `{"enabled":true}` | Controls server listener for ipv6 |
| hubble.ui.ingress | object | `{"annotations":{},"className":"","enabled":false,"hosts":["chart-example.local"],"labels":{},"tls":[]}` | hubble-ui ingress configuration. |
| hubble.ui.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
| hubble.ui.podAnnotations | object | `{}` | Annotations to be added to hubble-ui pods |
| hubble.ui.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| hubble.ui.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number/percentage of pods that may be made unavailable |
| hubble.ui.podDisruptionBudget.minAvailable | string | `nil` | Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by `maxUnavailable: null` |
| hubble.ui.podLabels | object | `{}` | Labels to be added to hubble-ui pods |
| hubble.ui.priorityClassName | string | `""` | The priority class to use for hubble-ui |
| hubble.ui.replicas | int | `1` | The number of replicas of Hubble UI to deploy. |
| hubble.ui.rollOutPods | bool | `false` | Roll out Hubble-ui pods automatically when configmap is updated. |
| hubble.ui.securityContext | object | `{"fsGroup":1001,"runAsGroup":1001,"runAsUser":1001}` | Security context to be added to Hubble UI pods |
| hubble.ui.service | object | `{"annotations":{},"nodePort":31235,"type":"ClusterIP"}` | hubble-ui service configuration. |
| hubble.ui.service.annotations | object | `{}` | Annotations to be added for the Hubble UI service |
| hubble.ui.service.nodePort | int | `31235` | - The port to use when the service type is set to NodePort. |
| hubble.ui.service.type | string | `"ClusterIP"` | - The type of service used for Hubble UI access, either ClusterIP or NodePort. |
| hubble.ui.standalone.enabled | bool | `false` | When true, it will allow installing the Hubble UI only, without checking dependencies. It is useful if a cluster already has cilium and Hubble relay installed and you just want Hubble UI to be deployed. When installed via helm, installing UI should be done via `helm upgrade` and when installed via the cilium cli, then `cilium hubble enable --ui` |
| hubble.ui.standalone.tls.certsVolume | object | `{}` | When deploying Hubble UI in standalone, with tls enabled for Hubble relay, it is required to provide a volume for mounting the client certificates. |
| hubble.ui.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values used to connect to hubble-relay This keypair is presented to Hubble Relay instances for mTLS authentication and is required when hubble.relay.tls.server.enabled is true. These values need to be set manually if hubble.tls.auto.enabled is false. |
| hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
| hubble.ui.topologySpreadConstraints | list | `[]` | Pod topology spread constraints for hubble-ui |
| hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
| identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
| identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
| image | object | `{"digest":"sha256:4981767b787c69126e190e33aee93d5a076639083c21f0e7c29596a519c64a2e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.4","useDigest":true}` | Agent container image. |
| imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
| ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
| ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
| ingressController.defaultSecretNamespace | string | `nil` | Default secret namespace for ingresses without .spec.tls[].secretName set. |
| ingressController.enabled | bool | `false` | Enable cilium ingress controller This will automatically set enable-envoy-config as well. |
| ingressController.enforceHttps | bool | `true` | Enforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header. |
| ingressController.ingressLBAnnotationPrefixes | list | `["service.beta.kubernetes.io","service.kubernetes.io","cloud.google.com"]` | IngressLBAnnotations are the annotation prefixes, which are used to filter annotations to propagate from Ingress to the Load Balancer service |
| ingressController.loadbalancerMode | string | `"dedicated"` | Default ingress load balancer mode Supported values: shared, dedicated For granular control, use the following annotations on the ingress resource ingress.cilium.io/loadbalancer-mode: shared|dedicated, |
| ingressController.secretsNamespace | object | `{"create":true,"name":"cilium-secrets","sync":true}` | SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. |
| ingressController.secretsNamespace.create | bool | `true` | Create secrets namespace for Ingress. |
| ingressController.secretsNamespace.name | string | `"cilium-secrets"` | Name of Ingress secret namespace. |
| ingressController.secretsNamespace.sync | bool | `true` | Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. If disabled, TLS secrets must be maintained externally. |
| ingressController.service | object | `{"allocateLoadBalancerNodePorts":null,"annotations":{},"insecureNodePort":null,"labels":{},"loadBalancerClass":null,"loadBalancerIP":null,"name":"cilium-ingress","secureNodePort":null,"type":"LoadBalancer"}` | Load-balancer service in shared mode. This is a single load-balancer service for all Ingress resources. |
| ingressController.service.allocateLoadBalancerNodePorts | string | `nil` | Configure if node port allocation is required for LB service ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation |
| ingressController.service.annotations | object | `{}` | Annotations to be added for the shared LB service |
| ingressController.service.insecureNodePort | string | `nil` | Configure a specific nodePort for insecure HTTP traffic on the shared LB service |
| ingressController.service.labels | object | `{}` | Labels to be added for the shared LB service |
| ingressController.service.loadBalancerClass | string | `nil` | Configure a specific loadBalancerClass on the shared LB service (requires Kubernetes 1.24+) |
| ingressController.service.loadBalancerIP | string | `nil` | Configure a specific loadBalancerIP on the shared LB service |
| ingressController.service.name | string | `"cilium-ingress"` | Service name |
| ingressController.service.secureNodePort | string | `nil` | Configure a specific nodePort for secure HTTPS traffic on the shared LB service |
| ingressController.service.type | string | `"LoadBalancer"` | Service type for the shared LB service |
| installNoConntrackIptablesRules | bool | `false` | Install Iptables rules to skip netfilter connection tracking on all pod traffic. This option is only effective when Cilium is running in direct routing and full KPR mode. Moreover, this option cannot be enabled when Cilium is running in a managed Kubernetes environment or in a chained CNI setup. |
| ipMasqAgent | object | `{"enabled":false}` | Configure the eBPF-based ip-masq-agent |
| ipam.ciliumNodeUpdateRate | string | `"15s"` | Maximum rate at which the CiliumNode custom resource is updated. |
| ipam.mode | string | `"cluster-pool"` | Configure IP Address Management mode. ref: https://docs.cilium.io/en/stable/network/concepts/ipam/ |
| ipam.operator.autoCreateCiliumPodIPPools | object | `{}` | IP pools to auto-create in multi-pool IPAM mode. |
| ipam.operator.clusterPoolIPv4MaskSize | int | `24` | IPv4 CIDR mask size to delegate to individual nodes for IPAM. |
| ipam.operator.clusterPoolIPv4PodCIDRList | list | `["10.0.0.0/8"]` | IPv4 CIDR list range to delegate to individual nodes for IPAM. |
| ipam.operator.clusterPoolIPv6MaskSize | int | `120` | IPv6 CIDR mask size to delegate to individual nodes for IPAM. |
| ipam.operator.clusterPoolIPv6PodCIDRList | list | `["fd00::/104"]` | IPv6 CIDR list range to delegate to individual nodes for IPAM. |
| ipam.operator.externalAPILimitBurstSize | string | `20` | The maximum burst size when rate limiting access to external APIs. Also known as the token bucket capacity. |
| ipam.operator.externalAPILimitQPS | string | `4.0` | The maximum queries per second when rate limiting access to external APIs. Also known as the bucket refill rate, which is used to refill the bucket up to the burst size capacity. |
| ipv4.enabled | bool | `true` | Enable IPv4 support. |
| ipv4NativeRoutingCIDR | string | `""` | Allows to explicitly specify the IPv4 CIDR for native routing. When specified, Cilium assumes networking for this CIDR is preconfigured and hands traffic destined for that range to the Linux network stack without applying any SNAT. Generally speaking, specifying a native routing CIDR implies that Cilium can depend on the underlying networking stack to route packets to their destination. To offer a concrete example, if Cilium is configured to use direct routing and the Kubernetes CIDR is included in the native routing CIDR, the user must configure the routes to reach pods, either manually or by setting the auto-direct-node-routes flag. |
| ipv6.enabled | bool | `false` | Enable IPv6 support. |
| ipv6NativeRoutingCIDR | string | `""` | Allows to explicitly specify the IPv6 CIDR for native routing. When specified, Cilium assumes networking for this CIDR is preconfigured and hands traffic destined for that range to the Linux network stack without applying any SNAT. Generally speaking, specifying a native routing CIDR implies that Cilium can depend on the underlying networking stack to route packets to their destination. To offer a concrete example, if Cilium is configured to use direct routing and the Kubernetes CIDR is included in the native routing CIDR, the user must configure the routes to reach pods, either manually or by setting the auto-direct-node-routes flag. |
| k8s | object | `{}` | Configure Kubernetes specific configuration |
| k8sClientRateLimit | object | `{"burst":10,"qps":5}` | Configure the client side rate limit for the agent and operator If the amount of requests to the Kubernetes API server exceeds the configured rate limit, the agent and operator will start to throttle requests by delaying them until there is budget or the request times out. |
| k8sClientRateLimit.burst | int | `10` | The burst request rate in requests per second. The rate limiter will allow short bursts with a higher rate. |
| k8sClientRateLimit.qps | int | `5` | The sustained request rate in requests per second. |
| k8sNetworkPolicy.enabled | bool | `true` | Enable support for K8s NetworkPolicy |
| k8sServiceHost | string | `""` | Kubernetes service host |
| k8sServicePort | string | `""` | Kubernetes service port |
| keepDeprecatedLabels | bool | `false` | Keep the deprecated selector labels when deploying Cilium DaemonSet. |
| keepDeprecatedProbes | bool | `false` | Keep the deprecated probes when deploying Cilium DaemonSet |
| kubeConfigPath | string | `"~/.kube/config"` | Kubernetes config path |
| kubeProxyReplacementHealthzBindAddr | string | `""` | healthz server bind address for the kube-proxy replacement. To enable set the value to '0.0.0.0:10256' for all ipv4 addresses and this '[::]:10256' for all ipv6 addresses. By default it is disabled. |
| l2NeighDiscovery.enabled | bool | `true` | Enable L2 neighbor discovery in the agent |
| l2NeighDiscovery.refreshPeriod | string | `"30s"` | Override the agent's default neighbor resolution refresh period. |
| l2announcements | object | `{"enabled":false}` | Configure L2 announcements |
| l2announcements.enabled | bool | `false` | Enable L2 announcements |
| l2podAnnouncements | object | `{"enabled":false,"interface":"eth0"}` | Configure L2 pod announcements |
| l2podAnnouncements.enabled | bool | `false` | Enable L2 pod announcements |
| l2podAnnouncements.interface | string | `"eth0"` | Interface used for sending Gratuitous ARP pod announcements |
| l7Proxy | bool | `true` | Enable Layer 7 network policy. |
| livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
| livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
| loadBalancer | object | `{"l7":{"algorithm":"round_robin","backend":"disabled","ports":[]}}` | Configure service load balancing |
| loadBalancer.l7 | object | `{"algorithm":"round_robin","backend":"disabled","ports":[]}` | L7 LoadBalancer |
| loadBalancer.l7.algorithm | string | `"round_robin"` | Default LB algorithm The default LB algorithm to be used for services, which can be overridden by the service annotation (e.g. service.cilium.io/lb-l7-algorithm) Applicable values: round_robin, least_request, random |
| loadBalancer.l7.backend | string | `"disabled"` | Enable L7 service load balancing via envoy proxy. The request to a k8s service, which has specific annotation e.g. service.cilium.io/lb-l7, will be forwarded to the local backend proxy to be load balanced to the service endpoints. Please refer to docs for supported annotations for more configuration. Applicable values: - envoy: Enable L7 load balancing via envoy proxy. This will automatically set enable-envoy-config as well. - disabled: Disable L7 load balancing by way of service annotation. |
| loadBalancer.l7.ports | list | `[]` | List of ports from service to be automatically redirected to above backend. Any service exposing one of these ports will be automatically redirected. Fine-grained control can be achieved by using the service annotation. |
| localRedirectPolicy | bool | `false` | Enable Local Redirect Policy. |
| logSystemLoad | bool | `false` | Enables periodic logging of system load |
| maglev | object | `{}` | Configure maglev consistent hashing |
| monitor | object | `{"enabled":false}` | cilium-monitor sidecar. |
| monitor.enabled | bool | `false` | Enable the cilium-monitor sidecar. |
| name | string | `"cilium"` | Agent container name. |
| nat46x64Gateway | object | `{"enabled":false}` | Configure standalone NAT46/NAT64 gateway |
| nat46x64Gateway.enabled | bool | `false` | Enable RFC8215-prefixed translation |
| nodePort | object | `{"autoProtectPortRange":true,"bindProtection":true,"enableHealthCheck":true,"enabled":false}` | Configure N-S k8s service loadbalancing |
| nodePort.autoProtectPortRange | bool | `true` | Append NodePort range to ip_local_reserved_ports if clash with ephemeral ports is detected. |
| nodePort.bindProtection | bool | `true` | Set to true to prevent applications binding to service ports. |
| nodePort.enableHealthCheck | bool | `true` | Enable healthcheck nodePort server for NodePort services |
| nodePort.enabled | bool | `false` | Enable the Cilium NodePort service implementation. |
| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for cilium-agent. |
| nodeinit.affinity | object | `{}` | Affinity for cilium-nodeinit |
| nodeinit.bootstrapFile | string | `"/tmp/cilium-bootstrap.d/cilium-bootstrap-time"` | bootstrapFile is the location of the file where the bootstrap timestamp is written by the node-init DaemonSet |
| nodeinit.enabled | bool | `false` | Enable the node initialization DaemonSet |
| nodeinit.extraEnv | list | `[]` | Additional nodeinit environment variables. |
| nodeinit.extraVolumeMounts | list | `[]` | Additional nodeinit volumeMounts. |
| nodeinit.extraVolumes | list | `[]` | Additional nodeinit volumes. |
| nodeinit.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f"}` | node-init image. |
| nodeinit.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
| nodeinit.podAnnotations | object | `{}` | Annotations to be added to node-init pods. |
| nodeinit.podLabels | object | `{}` | Labels to be added to node-init pods. |
| nodeinit.prestop | object | `{"postScript":"","preScript":""}` | prestop offers way to customize prestop nodeinit script (pre and post position) |
| nodeinit.priorityClassName | string | `""` | The priority class to use for the nodeinit pod. |
| nodeinit.resources | object | `{"requests":{"cpu":"100m","memory":"100Mi"}}` | nodeinit resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| nodeinit.securityContext | object | `{"capabilities":{"add":["SYS_MODULE","NET_ADMIN","SYS_ADMIN","SYS_CHROOT","SYS_PTRACE"]},"privileged":false,"seLinuxOptions":{"level":"s0","type":"spc_t"}}` | Security context to be added to nodeinit pods. |
| nodeinit.startup | object | `{"postScript":"","preScript":""}` | startup offers way to customize startup nodeinit script (pre and post position) |
| nodeinit.tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for nodeinit scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
| nodeinit.updateStrategy | object | `{"type":"RollingUpdate"}` | node-init update strategy |
| operator.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"io.cilium/app":"operator"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-operator |
| operator.dashboards | object | `{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}` | Grafana dashboards for cilium-operator grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards |
| operator.dnsPolicy | string | `""` | DNS policy for Cilium operator pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy |
| operator.enabled | bool | `true` | Enable the cilium-operator component (required). |
| operator.endpointGCInterval | string | `"5m0s"` | Interval for endpoint garbage collection. |
| operator.extraArgs | list | `[]` | Additional cilium-operator container arguments. |
| operator.extraEnv | list | `[]` | Additional cilium-operator environment variables. |
| operator.extraHostPathMounts | list | `[]` | Additional cilium-operator hostPath mounts. |
| operator.extraVolumeMounts | list | `[]` | Additional cilium-operator volumeMounts. |
| operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
| operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
| operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
| operator.image | object | `{"alibabacloudDigest":"sha256:2b2c71930db7901e754d5aac119c166faad10e938f73294f1c840cf36d564a3e","awsDigest":"sha256:757966ce5c13055089b092a86c8322a0694b0461a19b65e545e61897f6c9446c","azureDigest":"sha256:f9d1b8663b905fc2af656e61abc54667779081dde2fdbbb90a48200e7b05ff41","genericDigest":"sha256:f0f05e4ba3bb1fe0e4b91144fa4fea637701aba02e6c00b23bd03b4a7e1dfd55","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.4","useDigest":true}` | cilium-operator image. |
| operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
| operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
| operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
| operator.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| operator.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number/percentage of pods that may be made unavailable |
| operator.podDisruptionBudget.minAvailable | string | `nil` | Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by `maxUnavailable: null` |
| operator.podLabels | object | `{}` | Labels to be added to cilium-operator pods |
| operator.podSecurityContext | object | `{}` | Security context to be added to cilium-operator pods |
| operator.pprof.address | string | `"localhost"` | Configure pprof listen address for cilium-operator |
| operator.pprof.enabled | bool | `false` | Enable pprof for cilium-operator |
| operator.pprof.port | int | `6061` | Configure pprof listen port for cilium-operator |
| operator.priorityClassName | string | `""` | The priority class to use for cilium-operator |
| operator.prometheus | object | `{"enabled":false,"port":9963,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":null}}` | Enable prometheus metrics for cilium-operator on the configured port at /metrics |
| operator.prometheus.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor cilium-operator |
| operator.prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) |
| operator.prometheus.serviceMonitor.interval | string | `"10s"` | Interval for scrape metrics. |
| operator.prometheus.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor cilium-operator |
| operator.prometheus.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor cilium-operator |
| operator.prometheus.serviceMonitor.relabelings | string | `nil` | Relabeling configs for the ServiceMonitor cilium-operator |
| operator.removeNodeTaints | bool | `true` | Remove Cilium node taint from Kubernetes nodes that have a healthy Cilium pod running. |
| operator.replicas | int | `2` | Number of replicas to run for the cilium-operator deployment |
| operator.resources | object | `{}` | cilium-operator resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| operator.rollOutPods | bool | `false` | Roll out cilium-operator pods automatically when configmap is updated. |
| operator.securityContext | object | `{}` | Security context to be added to cilium-operator pods |
| operator.setNodeNetworkStatus | bool | `true` | Set Node condition NetworkUnavailable to 'false' with the reason 'CiliumIsUp' for nodes that have a healthy Cilium pod. |
| operator.setNodeTaints | string | same as removeNodeTaints | Taint nodes where Cilium is scheduled but not running. This prevents pods from being scheduled to nodes where Cilium is not the default CNI provider. |
| operator.skipCNPStatusStartupClean | bool | `false` | Skip CNP node status clean up at operator startup. |
| operator.skipCRDCreation | bool | `false` | Skip CRDs creation for cilium-operator |
| operator.tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for cilium-operator scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
| operator.topologySpreadConstraints | list | `[]` | Pod topology spread constraints for cilium-operator |
| operator.unmanagedPodWatcher.intervalSeconds | int | `15` | Interval, in seconds, to check if there are any pods that are not managed by Cilium. |
| operator.unmanagedPodWatcher.restart | bool | `true` | Restart any pod that are not managed by Cilium. |
| operator.updateStrategy | object | `{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"50%"},"type":"RollingUpdate"}` | cilium-operator update strategy |
| pmtuDiscovery.enabled | bool | `false` | Enable path MTU discovery to send ICMP fragmentation-needed replies to the client. |
| podAnnotations | object | `{}` | Annotations to be added to agent pods |
| podLabels | object | `{}` | Labels to be added to agent pods |
| podSecurityContext | object | `{}` | Security Context for cilium-agent pods. |
| policyEnforcementMode | string | `"default"` | The agent can be put into one of the three policy enforcement modes: default, always and never. ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes |
| pprof.address | string | `"localhost"` | Configure pprof listen address for cilium-agent |
| pprof.enabled | bool | `false` | Enable pprof for cilium-agent |
| pprof.port | int | `6060` | Configure pprof listen port for cilium-agent |
| preflight.affinity | object | `{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-preflight |
| preflight.enabled | bool | `false` | Enable Cilium pre-flight resources (required for upgrade) |
| preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
| preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
| preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
| preflight.image | object | `{"digest":"sha256:4981767b787c69126e190e33aee93d5a076639083c21f0e7c29596a519c64a2e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.4","useDigest":true}` | Cilium pre-flight image. |
| preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
| preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
| preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| preflight.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number/percentage of pods that may be made unavailable |
| preflight.podDisruptionBudget.minAvailable | string | `nil` | Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by `maxUnavailable: null` |
| preflight.podLabels | object | `{}` | Labels to be added to the preflight pod. |
| preflight.podSecurityContext | object | `{}` | Security context to be added to preflight pods. |
| preflight.priorityClassName | string | `""` | The priority class to use for the preflight pod. |
| preflight.resources | object | `{}` | preflight resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| preflight.securityContext | object | `{}` | Security context to be added to preflight pods |
| preflight.terminationGracePeriodSeconds | int | `1` | Configure termination grace period for preflight Deployment and DaemonSet. |
| preflight.tofqdnsPreCache | string | `""` | Path to write the `--tofqdns-pre-cache` file to. |
| preflight.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | Node tolerations for preflight scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
| preflight.updateStrategy | object | `{"type":"RollingUpdate"}` | preflight update strategy |
| preflight.validateCNPs | bool | `true` | By default we should always validate the installed CNPs before upgrading Cilium. This will make sure the user will have the policies deployed in the cluster with the right schema. |
| priorityClassName | string | `""` | The priority class to use for cilium-agent. |
| prometheus | object | `{"enabled":false,"metrics":null,"port":9962,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}],"trustCRDsExist":false}}` | Configure prometheus metrics on the configured port at /metrics |
| prometheus.metrics | string | `nil` | Metrics that should be enabled or disabled from the default metric list. The list is expected to be separated by a space. (+metric_foo to enable metric_foo , -metric_bar to disable metric_bar). ref: https://docs.cilium.io/en/stable/observability/metrics/ |
| prometheus.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor cilium-agent |
| prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) |
| prometheus.serviceMonitor.interval | string | `"10s"` | Interval for scrape metrics. |
| prometheus.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor cilium-agent |
| prometheus.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor cilium-agent |
| prometheus.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor cilium-agent |
| prometheus.serviceMonitor.trustCRDsExist | bool | `false` | Set to `true` and helm will not check for monitoring.coreos.com/v1 CRDs before deploying |
| proxy | object | `{"prometheus":{"enabled":true,"port":null},"sidecarImageRegex":"cilium/istio_proxy"}` | Configure Istio proxy options. |
| proxy.prometheus.enabled | bool | `true` | Deprecated in favor of envoy.prometheus.enabled |
| proxy.prometheus.port | string | `nil` | Deprecated in favor of envoy.prometheus.port |
| proxy.sidecarImageRegex | string | `"cilium/istio_proxy"` | Regular expression matching compatible Istio sidecar istio-proxy container image names |
| rbac.create | bool | `true` | Enable creation of Resource-Based Access Control configuration. |
| readinessProbe.failureThreshold | int | `3` | failure threshold of readiness probe |
| readinessProbe.periodSeconds | int | `30` | interval between checks of the readiness probe |
| remoteNodeIdentity | bool | `true` | Enable use of the remote node identity. ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity |
| resourceQuotas | object | `{"cilium":{"hard":{"pods":"10k"}},"enabled":false,"operator":{"hard":{"pods":"15"}}}` | Enable resource quotas for priority classes used in the cluster. |
| resources | object | `{}` | Agent resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| rollOutCiliumPods | bool | `false` | Roll out cilium agent pods automatically when configmap is updated. |
| routingMode | string | `"tunnel"` | Enable native-routing mode or tunneling mode. Possible values: - "" - native - tunnel |
| sctp | object | `{"enabled":false}` | SCTP Configuration Values |
| sctp.enabled | bool | `false` | Enable SCTP support. NOTE: Currently, SCTP support does not support rewriting ports or multihoming. |
| securityContext.capabilities.applySysctlOverwrites | list | `["SYS_ADMIN","SYS_CHROOT","SYS_PTRACE"]` | capabilities for the `apply-sysctl-overwrites` init container |
| securityContext.capabilities.ciliumAgent | list | `["CHOWN","KILL","NET_ADMIN","NET_RAW","IPC_LOCK","SYS_MODULE","SYS_ADMIN","SYS_RESOURCE","DAC_OVERRIDE","FOWNER","SETGID","SETUID"]` | Capabilities for the `cilium-agent` container |
| securityContext.capabilities.cleanCiliumState | list | `["NET_ADMIN","SYS_MODULE","SYS_ADMIN","SYS_RESOURCE"]` | Capabilities for the `clean-cilium-state` init container |
| securityContext.capabilities.mountCgroup | list | `["SYS_ADMIN","SYS_CHROOT","SYS_PTRACE"]` | Capabilities for the `mount-cgroup` init container |
| securityContext.privileged | bool | `false` | Run the pod with elevated privileges |
| securityContext.seLinuxOptions | object | `{"level":"s0","type":"spc_t"}` | SELinux options for the `cilium-agent` and init containers |
| serviceAccounts | object | Component's fully qualified name. | Define serviceAccount names for components. |
| serviceAccounts.clustermeshcertgen | object | `{"annotations":{},"automount":true,"create":true,"name":"clustermesh-apiserver-generate-certs"}` | Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob |
| serviceAccounts.hubblecertgen | object | `{"annotations":{},"automount":true,"create":true,"name":"hubble-generate-certs"}` | Hubblecertgen is used if hubble.tls.auto.method=cronJob |
| serviceAccounts.nodeinit.enabled | bool | `false` | Enabled is temporary until https://github.com/cilium/cilium-cli/issues/1396 is implemented. Cilium CLI doesn't create the SAs for node-init, thus the workaround. Helm is not affected by this issue. Name and automount can be configured, if enabled is set to true. Otherwise, they are ignored. Enabled can be removed once the issue is fixed. Cilium-nodeinit DS must also be fixed. |
| sleepAfterInit | bool | `false` | Do not run Cilium agent when running with clean mode. Useful to completely uninstall Cilium as it will stop Cilium from starting and create artifacts in the node. |
| socketLB | object | `{"enabled":false}` | Configure socket LB |
| socketLB.enabled | bool | `false` | Enable socket LB |
| startupProbe.failureThreshold | int | `105` | failure threshold of startup probe. 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) |
| startupProbe.periodSeconds | int | `2` | interval between checks of the startup probe |
| svcSourceRangeCheck | bool | `true` | Enable check of service source ranges (currently, only for LoadBalancer). |
| synchronizeK8sNodes | bool | `true` | Synchronize Kubernetes nodes to kvstore and perform CNP GC. |
| terminationGracePeriodSeconds | int | `1` | Configure termination grace period for cilium-agent DaemonSet. |
| tls | object | `{"ca":{"cert":"","certValidityDuration":1095,"key":""},"caBundle":{"enabled":false,"key":"ca.crt","name":"cilium-root-ca.crt","useSecret":false},"secretsBackend":"local"}` | Configure TLS configuration in the agent. |
| tls.ca | object | `{"cert":"","certValidityDuration":1095,"key":""}` | Base64 encoded PEM values for the CA certificate and private key. This can be used as common CA to generate certificates used by hubble and clustermesh components. It is neither required nor used when cert-manager is used to generate the certificates. |
| tls.ca.cert | string | `""` | Optional CA cert. If it is provided, it will be used by cilium to generate all other certificates. Otherwise, an ephemeral CA is generated. |
| tls.ca.certValidityDuration | int | `1095` | Generated certificates validity duration in days. This will be used for auto generated CA. |
| tls.ca.key | string | `""` | Optional CA private key. If it is provided, it will be used by cilium to generate all other certificates. Otherwise, an ephemeral CA is generated. |
| tls.caBundle | object | `{"enabled":false,"key":"ca.crt","name":"cilium-root-ca.crt","useSecret":false}` | Configure the CA trust bundle used for the validation of the certificates leveraged by hubble and clustermesh. When enabled, it overrides the content of the 'ca.crt' field of the respective certificates, allowing for CA rotation with no down-time. |
| tls.caBundle.enabled | bool | `false` | Enable the use of the CA trust bundle. |
| tls.caBundle.key | string | `"ca.crt"` | Entry of the ConfigMap containing the CA trust bundle. |
| tls.caBundle.name | string | `"cilium-root-ca.crt"` | Name of the ConfigMap containing the CA trust bundle. |
| tls.caBundle.useSecret | bool | `false` | Use a Secret instead of a ConfigMap. |
| tls.secretsBackend | string | `"local"` | This configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies (namely the secrets referenced by terminatingTLS and originatingTLS). Possible values: - local - k8s |
| tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for agent scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
| tunnel | string | `"vxlan"` | Configure the encapsulation configuration for communication between nodes. Deprecated in favor of tunnelProtocol and routingMode. To be removed in 1.15. Possible values: - disabled - vxlan - geneve |
| tunnelPort | int | Port 8472 for VXLAN, Port 6081 for Geneve | Configure VXLAN and Geneve tunnel port. |
| tunnelProtocol | string | `"vxlan"` | Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. Possible values: - "" - vxlan - geneve |
| updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}` | Cilium agent update strategy |
| vtep.cidr | string | `""` | A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24" |
| vtep.enabled | bool | `false` | Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel. |
| vtep.endpoint | string | `""` | A space separated list of VTEP device endpoint IPs, for example "1.1.1.1 1.1.2.1" |
| vtep.mac | string | `""` | A space separated list of VTEP device MAC addresses (VTEP MAC), for example "x:x:x:x:x:x y:y:y:y:y:y:y" |
| vtep.mask | string | `""` | VTEP CIDRs Mask that applies to all VTEP CIDRs, for example "255.255.255.0" |
| waitForKubeProxy | bool | `false` | Wait for KUBE-PROXY-CANARY iptables rule to appear in "wait-for-kube-proxy" init container before launching cilium-agent. More context can be found in the commit message of below PR https://github.com/cilium/cilium/pull/20123 |
| wellKnownIdentities.enabled | bool | `false` | Enable the use of well-known identities. |

54
system/cilium/charts/cilium/README.md.gotmpl Normal file
View File

@@ -0,0 +1,54 @@
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
Cilium is open source software for providing and transparently securing
network connectivity and loadbalancing between application workloads such as
application containers or processes. Cilium operates at Layer 3/4 to provide
traditional networking and security services as well as Layer 7 to protect and
secure use of modern application protocols such as HTTP, gRPC and Kafka.
A new Linux kernel technology called eBPF is at the foundation of Cilium.
It supports dynamic insertion of eBPF bytecode into the Linux kernel at various
integration points such as: network IO, application sockets, and tracepoints
to implement security, networking and visibility logic. eBPF is highly
efficient and flexible.
![Cilium feature overview](https://raw.githubusercontent.com/cilium/cilium/main/Documentation/images/cilium_overview.png)
## Prerequisites
* Kubernetes: `{{ template "chart.kubeVersion" . }}`
* Helm: `>= 3.0`
## Getting Started
Try Cilium on any Kubernetes distribution in under 15 minutes:
| Minikube | Self-Managed K8s | Amazon EKS | Google GKE | Microsoft AKS |
|:-:|:-:|:-:|:-:|:-:|
| [![Minikube](https://raw.githubusercontent.com/cilium/charts/master/images/minikube.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Self-Managed Kubernetes](https://raw.githubusercontent.com/cilium/charts/master/images/k8s.png)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Amazon EKS](https://raw.githubusercontent.com/cilium/charts/master/images/aws.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Google GKE](https://raw.githubusercontent.com/cilium/charts/master/images/google-cloud.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Microsoft AKS](https://raw.githubusercontent.com/cilium/charts/master/images/azure.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) |
Or, for a quick install with the default configuration:
```
$ helm repo add cilium https://helm.cilium.io/
$ helm install cilium cilium/cilium --namespace=kube-system
```
After Cilium is installed, you can explore the features that Cilium has to
offer from the [Getting Started Guides page](https://docs.cilium.io/en/stable/gettingstarted/).
{{ template "chart.maintainersSection" . }}
{{ template "chart.sourcesSection" . }}
## Getting Help
The best way to get help if you get stuck is to ask a question on the
[Cilium Slack channel](https://cilium.herokuapp.com/). With Cilium
contributors across the globe, there is almost always someone available to help.
{{ template "chart.valuesSection" . }}

19
system/cilium/charts/cilium/files/agent/poststart-eni.bash Normal file
View File

@@ -0,0 +1,19 @@
set -o errexit
set -o pipefail
set -o nounset
# When running in AWS ENI mode, it's likely that 'aws-node' has
# had a chance to install SNAT iptables rules. These can result
# in dropped traffic, so we should attempt to remove them.
# We do it using a 'postStart' hook since this may need to run
# for nodes which might have already been init'ed but may still
# have dangling rules. This is safe because there are no
# dependencies on anything that is part of the startup script
# itself, and can be safely run multiple times per node (e.g. in
# case of a restart).
if [[ "$(iptables-save | grep -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]];
then
echo 'Deleting iptables rules created by the AWS CNI VPC plugin'
iptables-save | grep -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore
fi
echo 'Done!'

8245
system/cilium/charts/cilium/files/cilium-agent/dashboards/cilium-dashboard.json Normal file
View File

File diff suppressed because it is too large Load Diff

323
system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json Normal file
View File

@@ -0,0 +1,323 @@
{
"node": {
"id": "host~127.0.0.1~no-id~localdomain",
"cluster": "ingress-cluster"
},
"staticResources": {
"listeners": [
{{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled }}
{
"name": "envoy-prometheus-metrics-listener",
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
}
},
"filter_chains": [
{
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"stat_prefix": "envoy-prometheus-metrics-listener",
"route_config": {
"virtual_hosts": [
{
"name": "prometheus_metrics_route",
"domains": [
"*"
],
"routes": [
{
"name": "prometheus_metrics_route",
"match": {
"prefix": "/metrics"
},
"route": {
"cluster": "envoy-admin",
"prefix_rewrite": "/stats/prometheus"
}
}
]
}
]
},
"http_filters": [
{
"name": "envoy.filters.http.router",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
}
}
],
"stream_idle_timeout": "0s"
}
}
]
}
]
},
{{- end }}
{
"name": "envoy-health-listener",
"address": {
"socket_address": {
"address": {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }},
"port_value": {{ .Values.envoy.healthPort }}
}
},
{{- if and .Values.ipv4.enabled .Values.ipv6.enabled }}
"additional_addresses": [
{
"address": {
"socket_address": {
"address": "::1",
"port_value": {{ .Values.envoy.healthPort }}
}
}
}
],
{{- end }}
"filter_chains": [
{
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"stat_prefix": "envoy-health-listener",
"route_config": {
"virtual_hosts": [
{
"name": "health",
"domains": [
"*"
],
"routes": [
{
"name": "health",
"match": {
"prefix": "/healthz"
},
"route": {
"cluster": "envoy-admin",
"prefix_rewrite": "/ready"
}
}
]
}
]
},
"http_filters": [
{
"name": "envoy.filters.http.router",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
}
}
],
"stream_idle_timeout": "0s"
}
}
]
}
]
}
],
"clusters": [
{
"name": "ingress-cluster",
"type": "ORIGINAL_DST",
"connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s",
"lbPolicy": "CLUSTER_PROVIDED",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"commonHttpProtocolOptions": {
"idleTimeout": "{{ .Values.envoy.idleTimeoutDurationSeconds }}s",
"maxConnectionDuration": "{{ .Values.envoy.maxConnectionDurationSeconds }}s",
"maxRequestsPerConnection": {{ .Values.envoy.maxRequestsPerConnection }}
},
"useDownstreamProtocolConfig": {}
}
},
"cleanupInterval": "{{ .Values.envoy.connectTimeoutSeconds }}.500s"
},
{
"name": "egress-cluster-tls",
"type": "ORIGINAL_DST",
"connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s",
"lbPolicy": "CLUSTER_PROVIDED",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"commonHttpProtocolOptions": {
"idleTimeout": "{{ .Values.envoy.idleTimeoutDurationSeconds }}s",
"maxConnectionDuration": "{{ .Values.envoy.maxConnectionDurationSeconds }}s",
"maxRequestsPerConnection": {{ .Values.envoy.maxRequestsPerConnection }}
},
"upstreamHttpProtocolOptions": {},
"useDownstreamProtocolConfig": {}
}
},
"cleanupInterval": "{{ .Values.envoy.connectTimeoutSeconds }}.500s",
"transportSocket": {
"name": "cilium.tls_wrapper",
"typedConfig": {
"@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
}
}
},
{
"name": "egress-cluster",
"type": "ORIGINAL_DST",
"connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s",
"lbPolicy": "CLUSTER_PROVIDED",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"commonHttpProtocolOptions": {
"idleTimeout": "{{ .Values.envoy.idleTimeoutDurationSeconds }}s",
"maxConnectionDuration": "{{ .Values.envoy.maxConnectionDurationSeconds }}s",
"maxRequestsPerConnection": {{ .Values.envoy.maxRequestsPerConnection }}
},
"useDownstreamProtocolConfig": {}
}
},
"cleanupInterval": "{{ .Values.envoy.connectTimeoutSeconds }}.500s"
},
{
"name": "ingress-cluster-tls",
"type": "ORIGINAL_DST",
"connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s",
"lbPolicy": "CLUSTER_PROVIDED",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"commonHttpProtocolOptions": {
"idleTimeout": "{{ .Values.envoy.idleTimeoutDurationSeconds }}s",
"maxConnectionDuration": "{{ .Values.envoy.maxConnectionDurationSeconds }}s",
"maxRequestsPerConnection": {{ .Values.envoy.maxRequestsPerConnection }}
},
"upstreamHttpProtocolOptions": {},
"useDownstreamProtocolConfig": {}
}
},
"cleanupInterval": "{{ .Values.envoy.connectTimeoutSeconds }}.500s",
"transportSocket": {
"name": "cilium.tls_wrapper",
"typedConfig": {
"@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
}
}
},
{
"name": "xds-grpc-cilium",
"type": "STATIC",
"connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s",
"loadAssignment": {
"clusterName": "xds-grpc-cilium",
"endpoints": [
{
"lbEndpoints": [
{
"endpoint": {
"address": {
"pipe": {
"path": "/var/run/cilium/envoy/sockets/xds.sock"
}
}
}
}
]
}
]
},
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"explicitHttpConfig": {
"http2ProtocolOptions": {}
}
}
}
},
{
"name": "envoy-admin",
"type": "STATIC",
"connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s",
"loadAssignment": {
"clusterName": "envoy-admin",
"endpoints": [
{
"lbEndpoints": [
{
"endpoint": {
"address": {
"pipe": {
"path": "/var/run/cilium/envoy/sockets/admin.sock"
}
}
}
}
]
}
]
}
}
]
},
"dynamicResources": {
"ldsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "xds-grpc-cilium"
}
}
],
"setNodeOnFirstMessageOnly": true
},
"resourceApiVersion": "V3"
},
"cdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "xds-grpc-cilium"
}
}
],
"setNodeOnFirstMessageOnly": true
},
"resourceApiVersion": "V3"
}
},
"layeredRuntime": {
"layers": [
{
"name": "static_layer_0",
"staticLayer": {
"overload": {
"global_downstream_max_connections": 50000
}
}
}
]
},
"admin": {
"address": {
"pipe": {
"path": "/var/run/cilium/envoy/sockets/admin.sock"
}
}
}
}

998
system/cilium/charts/cilium/files/cilium-operator/dashboards/cilium-operator-dashboard.json Normal file
View File

@@ -0,0 +1,998 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": "-- Grafana --",
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"editable": true,
"gnetId": null,
"graphTooltip": 0,
"id": 8,
"links": [],
"panels": [
{
"aliasColors": {
"avg": "#cffaff"
},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "prometheus",
"fieldConfig": {
"defaults": {
"custom": {}
},
"overrides": []
},
"fill": 0,
"fillGradient": 0,
"gridPos": {
"h": 5,
"w": 12,
"x": 0,
"y": 0
},
"hiddenSeries": false,
"id": 24,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {
"dataLinks": []
},
"paceLength": 10,
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [
{
"alias": "max",
"fillBelowTo": "min",
"lines": false
},
{
"alias": "min",
"lines": false
}
],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "min(irate(cilium_operator_process_cpu_seconds_total{io_cilium_app=\"operator\"}[1m])) by (pod) * 100",
"format": "time_series",
"interval": "",
"intervalFactor": 1,
"legendFormat": "min",
"refId": "A"
},
{
"expr": "avg(irate(cilium_operator_process_cpu_seconds_total{io_cilium_app=\"operator\"}[1m])) by (pod) * 100",
"format": "time_series",
"interval": "",
"intervalFactor": 1,
"legendFormat": "avg",
"refId": "B"
},
{
"expr": "max(irate(cilium_operator_process_cpu_seconds_total{io_cilium_app=\"operator\"}[1m])) by (pod) * 100",
"format": "time_series",
"interval": "",
"intervalFactor": 1,
"legendFormat": "max",
"refId": "C"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "CPU Usage per node",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "percent",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {
"MAX_resident_memory_bytes_max": "#e5ac0e"
},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "prometheus",
"fieldConfig": {
"defaults": {
"custom": {}
},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 5,
"w": 12,
"x": 12,
"y": 0
},
"hiddenSeries": false,
"id": 26,
"legend": {
"alignAsTable": false,
"avg": false,
"current": false,
"max": false,
"min": false,
"rightSide": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {
"dataLinks": []
},
"paceLength": 10,
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "avg(cilium_operator_process_resident_memory_bytes{io_cilium_app=\"operator\"})",
"format": "time_series",
"interval": "",
"intervalFactor": 1,
"legendFormat": "AVG_resident_memory_bytes",
"refId": "C"
},
{
"expr": "max(cilium_operator_process_resident_memory_bytes{io_cilium_app=\"operator\"})",
"format": "time_series",
"interval": "",
"intervalFactor": 1,
"legendFormat": "MAX_resident_memory_bytes_max",
"refId": "D"
},
{
"expr": "min(cilium_operator_process_resident_memory_bytes{io_cilium_app=\"operator\"})",
"format": "time_series",
"interval": "",
"intervalFactor": 1,
"legendFormat": "MIN_resident_memory_bytes_min",
"refId": "E"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Resident memory status",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "bytes",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"collapsed": false,
"datasource": null,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 5
},
"id": 6,
"panels": [],
"title": "IPAM",
"type": "row"
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "prometheus",
"fieldConfig": {
"defaults": {
"custom": {}
},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 8,
"w": 12,
"x": 0,
"y": 6
},
"hiddenSeries": false,
"id": 8,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {
"dataLinks": []
},
"paceLength": 10,
"percentage": false,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": true,
"steppedLine": false,
"targets": [
{
"expr": "avg(cilium_operator_ipam_ips) by (type)",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{type}}",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "IP Addresses",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "prometheus",
"fieldConfig": {
"defaults": {
"custom": {}
},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 8,
"w": 12,
"x": 12,
"y": 6
},
"hiddenSeries": false,
"id": 10,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {
"dataLinks": []
},
"paceLength": 10,
"percentage": false,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "rate(cilium_operator_ec2_api_duration_seconds_sum[1m])/rate(cilium_operator_ec2_api_duration_seconds_count[1m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{operation}} {{response_code}}",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "EC2 API Interactions",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "dtdurations",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "prometheus",
"fieldConfig": {
"defaults": {
"custom": {}
},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 7,
"w": 8,
"x": 0,
"y": 14
},
"hiddenSeries": false,
"id": 4,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {
"dataLinks": []
},
"paceLength": 10,
"percentage": false,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "cilium_operator_ipam_nodes",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{category}}",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Number of nodes",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "prometheus",
"fieldConfig": {
"defaults": {
"custom": {}
},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 7,
"w": 8,
"x": 8,
"y": 14
},
"hiddenSeries": false,
"id": 12,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {
"dataLinks": []
},
"paceLength": 10,
"percentage": false,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "cilium_operator_ipam_available",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "interfaces",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "# interfaces with addresses available",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "prometheus",
"fieldConfig": {
"defaults": {
"custom": {}
},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 7,
"w": 8,
"x": 16,
"y": 14
},
"hiddenSeries": false,
"id": 16,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {
"dataLinks": []
},
"paceLength": 10,
"percentage": false,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "rate(cilium_operator_ipam_resync_total[1m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "operations",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Metadata Resync Operations",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "ops",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "prometheus",
"fieldConfig": {
"defaults": {
"custom": {}
},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 8,
"w": 12,
"x": 0,
"y": 21
},
"hiddenSeries": false,
"id": 14,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {
"dataLinks": []
},
"paceLength": 10,
"percentage": false,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": true,
"steppedLine": false,
"targets": [
{
"expr": "rate(cilium_operator_ec2_api_rate_limit_duration_seconds_sum[1m])/rate(cilium_operator_ec2_api_rate_limit_duration_seconds_count[1m])",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{operation}}",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "EC2 client side rate limiting",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "reqps",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "prometheus",
"fieldConfig": {
"defaults": {
"custom": {}
},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 8,
"w": 12,
"x": 12,
"y": 21
},
"hiddenSeries": false,
"id": 2,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {
"dataLinks": []
},
"paceLength": 10,
"percentage": false,
"pointradius": 2,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "avg(rate(cilium_operator_ipam_interface_creation_ops[1m])) by (subnetId, status)",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{status}} ({{subnetId}})",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Interface Creation",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "ops",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
}
],
"refresh": false,
"schemaVersion": 25,
"style": "dark",
"tags": [],
"templating": {
"list": []
},
"time": {
"from": "now-30m",
"to": "now"
},
"timepicker": {
"refresh_intervals": [
"10s",
"30s",
"1m",
"5m",
"15m",
"30m",
"1h",
"2h",
"1d"
],
"time_options": [
"5m",
"15m",
"1h",
"6h",
"12h",
"24h",
"2d",
"7d",
"30d"
]
},
"timezone": "",
"title": "Cilium Operator",
"uid": "1GC0TT4Wz",
"version": 2
}

3232
system/cilium/charts/cilium/files/hubble/dashboards/hubble-dashboard.json Normal file
View File

File diff suppressed because it is too large Load Diff

1385
system/cilium/charts/cilium/files/hubble/dashboards/hubble-l7-http-metrics-by-workload.json Normal file
View File

File diff suppressed because it is too large Load Diff

60
system/cilium/charts/cilium/files/nodeinit/prestop.bash Normal file
View File

@@ -0,0 +1,60 @@
#!/bin/bash
set -o errexit
set -o pipefail
set -o nounset
{{ .Values.nodeinit.prestop.preScript }}
if stat /tmp/node-deinit.cilium.io > /dev/null 2>&1; then
exit 0
fi
echo "Waiting on pods to stop..."
if [ ! -f /etc/crictl.yaml ] || grep -q 'docker' /etc/crictl.yaml; then
# Works for COS, ubuntu
while docker ps | grep -v "node-init" | grep -q "POD_cilium"; do sleep 1; done
else
# COS-beta (with containerd). Some versions of COS have crictl in /home/kubernetes/bin.
while PATH="${PATH}:/home/kubernetes/bin" crictl ps | grep -v "node-init" | grep -q "POD_cilium"; do sleep 1; done
fi
if ip link show cilium_host; then
echo "Deleting cilium_host interface..."
ip link del cilium_host
fi
{{- if not (eq .Values.nodeinit.bootstrapFile "") }}
rm -f {{ .Values.nodeinit.bootstrapFile | quote }}
{{- end }}
rm -f /tmp/node-init.cilium.io
touch /tmp/node-deinit.cilium.io
{{- if .Values.nodeinit.reconfigureKubelet }}
# Check if we're running on a GKE containerd flavor.
GKE_KUBERNETES_BIN_DIR="/home/kubernetes/bin"
if [[ -f "${GKE_KUBERNETES_BIN_DIR}/gke" ]] && command -v containerd &>/dev/null; then
CONTAINERD_CONFIG="/etc/containerd/config.toml"
echo "Reverting changes to the containerd configuration"
sed -Ei "s/^\#(\s+conf_template)/\1/g" "${CONTAINERD_CONFIG}"
echo "Removing the kubelet wrapper"
[[ -f "${GKE_KUBERNETES_BIN_DIR}/the-kubelet" ]] && mv "${GKE_KUBERNETES_BIN_DIR}/the-kubelet" "${GKE_KUBERNETES_BIN_DIR}/kubelet"
else
echo "Changing kubelet configuration to --network-plugin=kubenet"
sed -i "s:--network-plugin=cni\ --cni-bin-dir={{ .Values.cni.binPath }}:--network-plugin=kubenet:g" /etc/default/kubelet
fi
echo "Restarting the kubelet"
systemctl restart kubelet
{{- end }}
{{- if (and .Values.gke.enabled (or .Values.enableIPv4Masquerade .Values.gke.disableDefaultSnat))}}
# If the IP-MASQ chain exists, add back default jump rule from the GKE instance configure script
if iptables -w -t nat -L IP-MASQ > /dev/null; then
iptables -w -t nat -A POSTROUTING -m comment --comment "ip-masq: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom IP-MASQ chain" -m addrtype ! --dst-type LOCAL -j IP-MASQ
fi
{{- end }}
{{ .Values.nodeinit.prestop.postScript }}
echo "Node de-initialization complete"

206
system/cilium/charts/cilium/files/nodeinit/startup.bash Normal file
View File

@@ -0,0 +1,206 @@
#!/bin/bash
set -o errexit
set -o pipefail
set -o nounset
echo "Link information:"
ip link
echo "Routing table:"
ip route
echo "Addressing:"
ip -4 a
ip -6 a
{{ .Values.nodeinit.startup.preScript }}
{{- if .Values.nodeinit.removeCbrBridge }}
if ip link show cbr0; then
echo "Detected cbr0 bridge. Deleting interface..."
ip link del cbr0
fi
{{- end }}
{{- if .Values.nodeinit.reconfigureKubelet }}
# Check if we're running on a GKE containerd flavor as indicated by the presence
# of the '--container-runtime-endpoint' flag in '/etc/default/kubelet'.
GKE_KUBERNETES_BIN_DIR="/home/kubernetes/bin"
KUBELET_DEFAULTS_FILE="/etc/default/kubelet"
if [[ -f "${GKE_KUBERNETES_BIN_DIR}/gke" ]] && [[ $(grep -cF -- '--container-runtime-endpoint' "${KUBELET_DEFAULTS_FILE}") == "1" ]]; then
echo "GKE *_containerd flavor detected..."
# (GKE *_containerd) Upon node restarts, GKE's containerd images seem to reset
# the /etc directory and our changes to the kubelet and Cilium's CNI
# configuration are removed. This leaves room for containerd and its CNI to
# take over pods previously managed by Cilium, causing Cilium to lose
# ownership over these pods. We rely on the empirical observation that
# /home/kubernetes/bin/kubelet is not changed across node reboots, and replace
# it with a wrapper script that performs some initialization steps when
# required and then hands over control to the real kubelet.
# Only create the kubelet wrapper if we haven't previously done so.
if [[ ! -f "${GKE_KUBERNETES_BIN_DIR}/the-kubelet" ]];
then
echo "Installing the kubelet wrapper..."
# Rename the real kubelet.
mv "${GKE_KUBERNETES_BIN_DIR}/kubelet" "${GKE_KUBERNETES_BIN_DIR}/the-kubelet"
# Initialize the kubelet wrapper which lives in the place of the real kubelet.
touch "${GKE_KUBERNETES_BIN_DIR}/kubelet"
chmod a+x "${GKE_KUBERNETES_BIN_DIR}/kubelet"
# Populate the kubelet wrapper. It will perform the initialization steps we
# need and then become the kubelet.
cat <<'EOF' | tee "${GKE_KUBERNETES_BIN_DIR}/kubelet"
#!/bin/bash
set -euo pipefail
CNI_CONF_DIR="/etc/cni/net.d"
CONTAINERD_CONFIG="/etc/containerd/config.toml"
# kubelet version string format is "Kubernetes v1.24-gke.900"
K8S_VERSION=$(/home/kubernetes/bin/the-kubelet --version)
# Helper to check if a version string, passed as first parameter, is greater than or
# equal the one passed as second parameter.
function version_gte() {
[[ "$(printf '%s\n' "${2}" "${1}" | sort -V | head -n1)" = "${2}" ]] && return
}
# Only stop and start containerd if the Cilium CNI configuration does not exist,
# or if the 'conf_template' property is present in the containerd config file,
# in order to avoid unnecessarily restarting containerd.
if [[ -z "$(find "${CNI_CONF_DIR}" -type f -name '*cilium*')" || \
"$(grep -cE '^\s+conf_template' "${CONTAINERD_CONFIG}")" != "0" ]];
then
# Stop containerd as it starts by creating a CNI configuration from a template
# causing pods to start with IPs assigned by GKE's CNI.
# 'disable --now' is used instead of stop as this script runs concurrently
# with containerd on node startup, and hence containerd might not have been
# started yet, in which case 'disable' prevents it from starting.
echo "Disabling and stopping containerd"
systemctl disable --now containerd
# Remove any pre-existing files in the CNI configuration directory. We skip
# any possibly existing Cilium configuration file for the obvious reasons.
echo "Removing undesired CNI configuration files"
find "${CNI_CONF_DIR}" -type f -not -name '*cilium*' -exec rm {} \;
# As mentioned above, the containerd configuration needs a little tweak in
# order not to create the default CNI configuration, so we update its config.
echo "Fixing containerd configuration"
sed -Ei 's/^(\s+conf_template)/\#\1/g' "${CONTAINERD_CONFIG}"
if version_gte "${K8S_VERSION#"Kubernetes "}" "v1.24"; then
# Starting from GKE node version 1.24, containerd version used is 1.6.
# Since that version containerd no longer allows missing configuration for the CNI,
# not even for pods with hostNetwork set to true. Thus, we add a temporary one.
# This will be replaced with the real config by the agent pod.
echo -e "{\n\t"cniVersion": "0.3.1",\n\t"name": "cilium",\n\t"type": "cilium-cni"\n}" > /etc/cni/net.d/05-cilium.conf
fi
# Start containerd. It won't create it's CNI configuration file anymore.
echo "Enabling and starting containerd"
systemctl enable --now containerd
fi
# Become the real kubelet and, for k8s < 1.24, pass it additional dockershim
# flags (and place these last so they have precedence).
if version_gte "${K8S_VERSION#"Kubernetes "}" "v1.24"; then
exec /home/kubernetes/bin/the-kubelet "${@}"
else
exec /home/kubernetes/bin/the-kubelet "${@}" --network-plugin=cni --cni-bin-dir={{ .Values.cni.binPath }}
fi
EOF
else
echo "Kubelet wrapper already exists, skipping..."
fi
else
# kubelet version string format is "Kubernetes v1.24-gke.900"
K8S_VERSION=$(kubelet --version)
# Helper to check if a version string, passed as first parameter, is greater than or
# equal the one passed as second parameter.
function version_gte() {
[[ "$(printf '%s\n' "${2}" "${1}" | sort -V | head -n1)" = "${2}" ]] && return
}
# Dockershim flags have been removed since k8s 1.24.
if ! version_gte "${K8S_VERSION#"Kubernetes "}" "v1.24"; then
# (Generic) Alter the kubelet configuration to run in CNI mode
echo "Changing kubelet configuration to --network-plugin=cni --cni-bin-dir={{ .Values.cni.binPath }}"
mkdir -p {{ .Values.cni.binPath }}
sed -i "s:--network-plugin=kubenet:--network-plugin=cni\ --cni-bin-dir={{ .Values.cni.binPath }}:g" "${KUBELET_DEFAULTS_FILE}"
fi
fi
echo "Restarting the kubelet..."
systemctl restart kubelet
{{- end }}
{{- if (and .Values.gke.enabled (or .Values.enableIPv4Masquerade .Values.gke.disableDefaultSnat))}}
# If Cilium is configured to manage masquerading of traffic leaving the node,
# we need to disable the IP-MASQ chain because even if ip-masq-agent
# is not installed, the node init script installs some default rules into
# the IP-MASQ chain.
# If we remove the jump to that ip-masq chain, then we ensure the ip masquerade
# configuration is solely managed by Cilium.
# Also, if Cilium is installed, it may be expected that it would be solely responsible
# for the networking configuration on that node. So provide the same functionality
# as the --disable-snat-flag for existing GKE clusters.
iptables -w -t nat -D POSTROUTING -m comment --comment "ip-masq: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom IP-MASQ chain" -m addrtype ! --dst-type LOCAL -j IP-MASQ || true
{{- end }}
{{- if not (eq .Values.nodeinit.bootstrapFile "") }}
mkdir -p {{ .Values.nodeinit.bootstrapFile | dir | quote }}
date > {{ .Values.nodeinit.bootstrapFile | quote }}
{{- end }}
{{- if .Values.azure.enabled }}
# AKS: If azure-vnet is installed on the node, and (still) configured in bridge mode,
# configure it as 'transparent' to be consistent with Cilium's CNI chaining config.
# If the azure-vnet CNI config is not removed, kubelet will execute CNI CHECK commands
# against it every 5 seconds and write 'bridge' to its state file, causing inconsistent
# behaviour when Pods are removed.
if [ -f /etc/cni/net.d/10-azure.conflist ]; then
echo "Ensuring azure-vnet is configured in 'transparent' mode..."
sed -i 's/"mode":\s*"bridge"/"mode":"transparent"/g' /etc/cni/net.d/10-azure.conflist
fi
# The azure0 interface being present means the node was booted with azure-vnet configured
# in bridge mode. This means there might be ebtables rules and neight entries interfering
# with pod connectivity if we deploy with Azure IPAM.
if ip l show dev azure0 >/dev/null 2>&1; then
# In Azure IPAM mode, also remove the azure-vnet state file, otherwise ebtables rules get
# restored by the azure-vnet CNI plugin on every CNI CHECK, which can cause connectivity
# issues in Cilium-managed Pods. Since azure-vnet is no longer called on scheduling events,
# this file can be removed.
rm -f /var/run/azure-vnet.json
# This breaks connectivity for existing workload Pods when Cilium is scheduled, but we need
# to flush these to prevent Cilium-managed Pod IPs conflicting with Pod IPs previously allocated
# by azure-vnet. These ebtables DNAT rules contain fixed MACs that are no longer bound on the node,
# causing packets for these Pods to be redirected back out to the gateway, where they are dropped.
echo 'Flushing ebtables pre/postrouting rules in nat table.. (disconnecting non-Cilium Pods!)'
ebtables -t nat -F PREROUTING || true
ebtables -t nat -F POSTROUTING || true
# ip-masq-agent periodically injects PERM neigh entries towards the gateway
# for all other k8s nodes in the cluster. These are safe to flush, as ARP can
# resolve these nodes as usual. PERM entries will be automatically restored later.
echo 'Deleting all permanent neighbour entries on azure0...'
ip neigh show dev azure0 nud permanent | cut -d' ' -f1 | xargs -r -n1 ip neigh del dev azure0 to || true
fi
{{- end }}
{{- if .Values.nodeinit.revertReconfigureKubelet }}
rm -f /tmp/node-deinit.cilium.io
{{- end }}
{{ .Values.nodeinit.startup.postScript }}
echo "Node initialization complete"

48
system/cilium/charts/cilium/files/spire/init.bash Normal file
View File

@@ -0,0 +1,48 @@
# shellcheck disable=SC2086
# shellcheck disable=SC2139
set -e
echo "Waiting for spire process to start"
while ! pgrep spire-server > /dev/null; do sleep 5; done
SPIRE_SERVER_ROOT_PATH="/proc/$(pgrep spire-server)/root"
alias spire_server="${SPIRE_SERVER_ROOT_PATH}/opt/spire/bin/spire-server"
SOCKET_PATH="${SPIRE_SERVER_ROOT_PATH}/tmp/spire-server/private/api.sock"
SOCKET_FLAG="-socketPath ${SOCKET_PATH}"
echo "Checking spire-server status"
while ! spire_server entry show ${SOCKET_FLAG} &> /dev/null; do
echo "Waiting for spire-server to start..."
sleep 5
done
echo "Spire Server is up, initializing cilium spire entries..."
AGENT_SPIFFE_ID="spiffe://{{ .Values.authentication.mutual.spire.trustDomain }}/ns/{{ .Values.authentication.mutual.spire.install.namespace }}/sa/spire-agent"
AGENT_SELECTORS="-selector k8s_psat:agent_ns:{{ .Values.authentication.mutual.spire.install.namespace }} -selector k8s_psat:agent_sa:spire-agent"
CILIUM_AGENT_SPIFFE_ID="spiffe://{{ .Values.authentication.mutual.spire.trustDomain }}/cilium-agent"
CILIUM_AGENT_SELECTORS="-selector k8s:ns:{{ .Release.Namespace }} -selector k8s:sa:{{ .Values.serviceAccounts.cilium.name }}"
CILIUM_OPERATOR_SPIFFE_ID="spiffe://{{ .Values.authentication.mutual.spire.trustDomain }}/cilium-operator"
CILIUM_OPERATOR_SELECTORS="-selector k8s:ns:{{ .Release.Namespace }} -selector k8s:sa:{{ .Values.serviceAccounts.operator.name }}"
while pgrep spire-server > /dev/null;
do
echo "Ensuring agent entry"
if spire_server entry show ${SOCKET_FLAG} -spiffeID $AGENT_SPIFFE_ID $AGENT_SELECTORS | grep -q "Found 0 entries" &> /dev/null; then
spire_server entry create ${SOCKET_FLAG} -spiffeID $AGENT_SPIFFE_ID $AGENT_SELECTORS -node
fi
echo "Ensuring cilium-agent entry (required for the delegated identity to work)"
if spire_server entry show ${SOCKET_FLAG} -spiffeID $CILIUM_AGENT_SPIFFE_ID $CILIUM_AGENT_SELECTORS | grep -q "Found 0 entries" &> /dev/null; then
spire_server entry create ${SOCKET_FLAG} -spiffeID $CILIUM_AGENT_SPIFFE_ID -parentID $AGENT_SPIFFE_ID $CILIUM_AGENT_SELECTORS
fi
echo "Ensuring cilium-operator entry (required for creating SPIFFE identities)"
if spire_server entry show ${SOCKET_FLAG} -spiffeID $CILIUM_OPERATOR_SPIFFE_ID $CILIUM_OPERATOR_SELECTORS | grep -q "Found 0 entries" &> /dev/null; then
spire_server entry create ${SOCKET_FLAG} -spiffeID $CILIUM_OPERATOR_SPIFFE_ID -parentID $AGENT_SPIFFE_ID $CILIUM_OPERATOR_SELECTORS
fi
echo "Cilium Spire entries are initialized successfully or already in-sync"
sleep 30;
done

35
system/cilium/charts/cilium/files/spire/wait-for-spire.bash Normal file
View File

@@ -0,0 +1,35 @@
set -e
echo "Waiting for spire server to be reachable to start"
{{- if .Values.authentication.mutual.spire.serverAddress }}
ADDR="{{ .Values.authentication.mutual.spire.serverAddress }}"
{{- else }}
ADDR="spire-server.{{ .Values.authentication.mutual.spire.install.namespace}}.svc:8081"
{{- end }}
CONN_TIMEOUT="3"
TIMEOUT="60"
call_tcp_endpoint_with_timeout() {
local addr="$1"
local timeout="$2"
nc -z "$addr" -w "$timeout" &> /dev/null
}
# wait for SPIRE server to be reachable till $TIMEOUT is reached
start_time=$(date +%s)
while true; do
if call_tcp_endpoint_with_timeout "$ADDR" "$CONN_TIMEOUT"; then
echo "SPIRE server is reachable"
break
fi
if [ $(( $(date +%s) - start_time )) -gt "$TIMEOUT" ]; then
echo "Timed out waiting for spire server to be reachable"
exit 1
fi
echo "Waiting for spire server to be reachable"
sleep 1
done

22
system/cilium/charts/cilium/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,22 @@
{{- if (and (.Values.preflight.enabled) (not (.Values.agent)) (not (.Values.operator.enabled))) }}
You have successfully ran the preflight check.
Now make sure to check the number of READY pods is the same as the number of running cilium pods.
Then make sure the cilium preflight deployment is also marked READY 1/1.
If you have an issues please refer to the CNP Validation section in the upgrade guide.
{{- else if (and (.Values.hubble.enabled) (.Values.hubble.relay.enabled)) }}
{{- if (.Values.hubble.ui.enabled) }}
You have successfully installed {{ title .Chart.Name }} with Hubble Relay and Hubble UI.
{{- else }}
You have successfully installed {{ title .Chart.Name }} with Hubble Relay.
{{- end }}
{{- else if .Values.hubble.enabled }}
You have successfully installed {{ title .Chart.Name }} with Hubble.
{{- else if (and (.Values.hubble.ui.enabled) (.Values.hubble.ui.standalone.enabled)) }}
You have successfully installed {{ title .Chart.Name }} with standalone Hubble UI.
{{- else }}
You have successfully installed {{ title .Chart.Name }}.
{{- end }}
Your release version is {{ .Chart.Version }}.
For any further help, visit https://docs.cilium.io/en/v{{ (semver .Chart.Version).Major }}.{{ (semver .Chart.Version).Minor }}/gettinghelp

156
system/cilium/charts/cilium/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,156 @@
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "cilium.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Render full image name from given values, e.g:
```
image:
repository: quay.io/cilium/cilium
tag: v1.10.1
useDigest: true
digest: abcdefgh
```
then `include "cilium.image" .Values.image`
will return `quay.io/cilium/cilium:v1.10.1@abcdefgh`
*/}}
{{- define "cilium.image" -}}
{{- $digest := (.useDigest | default false) | ternary (printf "@%s" .digest) "" -}}
{{- if .override -}}
{{- printf "%s" .override -}}
{{- else -}}
{{- printf "%s:%s%s" .repository .tag $digest -}}
{{- end -}}
{{- end -}}
{{/*
Return user specify priorityClass or default criticalPriorityClass
Usage:
include "cilium.priorityClass" (list $ <priorityClass> <criticalPriorityClass>)
where:
* `priorityClass`: is user specify priorityClass e.g `.Values.operator.priorityClassName`
* `criticalPriorityClass`: default criticalPriorityClass, e.g `"system-cluster-critical"`
This value is used when `priorityClass` is `nil` and
`.Values.enableCriticalPriorityClass=true` and kubernetes supported it.
*/}}
{{- define "cilium.priorityClass" -}}
{{- $root := index . 0 -}}
{{- $priorityClass := index . 1 -}}
{{- $criticalPriorityClass := index . 2 -}}
{{- if $priorityClass }}
{{- $priorityClass }}
{{- else if and $root.Values.enableCriticalPriorityClass $criticalPriorityClass -}}
{{- if and (eq $root.Release.Namespace "kube-system") (semverCompare ">=1.10-0" $root.Capabilities.KubeVersion.Version) -}}
{{- $criticalPriorityClass }}
{{- else if semverCompare ">=1.17-0" $root.Capabilities.KubeVersion.Version -}}
{{- $criticalPriorityClass }}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for ingress.
*/}}
{{- define "ingress.apiVersion" -}}
{{- if semverCompare ">=1.16-0, <1.19-0" .Capabilities.KubeVersion.Version -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else if semverCompare "^1.19-0" .Capabilities.KubeVersion.Version -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate backend for Hubble UI ingress.
*/}}
{{- define "ingress.paths" -}}
{{ if semverCompare ">=1.4-0, <1.19-0" .Capabilities.KubeVersion.Version -}}
backend:
serviceName: hubble-ui
servicePort: http
{{- else if semverCompare "^1.19-0" .Capabilities.KubeVersion.Version -}}
pathType: Prefix
backend:
service:
name: hubble-ui
port:
name: http
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for cronjob.
*/}}
{{- define "cronjob.apiVersion" -}}
{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version -}}
{{- print "batch/v1" -}}
{{- else -}}
{{- print "batch/v1beta1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for podDisruptionBudget.
*/}}
{{- define "podDisruptionBudget.apiVersion" -}}
{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version -}}
{{- print "policy/v1" -}}
{{- else -}}
{{- print "policy/v1beta1" -}}
{{- end -}}
{{- end -}}
{{/*
Generate TLS CA for Cilium
Note: Always use this template as follows:
{{- $_ := include "cilium.ca.setup" . -}}
The assignment to `$_` is required because we store the generated CI in a global `commonCA`
and `commonCASecretName` variables.
*/}}
{{- define "cilium.ca.setup" }}
{{- if not .commonCA -}}
{{- $ca := "" -}}
{{- $secretName := "cilium-ca" -}}
{{- $crt := .Values.tls.ca.cert -}}
{{- $key := .Values.tls.ca.key -}}
{{- if and $crt $key }}
{{- $ca = buildCustomCert $crt $key -}}
{{- else }}
{{- with lookup "v1" "Secret" .Release.Namespace $secretName }}
{{- $crt := index .data "ca.crt" }}
{{- $key := index .data "ca.key" }}
{{- $ca = buildCustomCert $crt $key -}}
{{- else }}
{{- $validity := ( .Values.tls.ca.certValidityDuration | int) -}}
{{- $ca = genCA "Cilium CA" $validity -}}
{{- end }}
{{- end -}}
{{- $_ := set (set . "commonCA" $ca) "commonCASecretName" $secretName -}}
{{- end -}}
{{- end -}}
{{/*
Check if duration is non zero value, return duration, empty when zero.
*/}}
{{- define "hasDuration" }}
{{- $now := now }}
{{- if ne $now ($now | dateModify (toString .)) }}
{{- . }}
{{- end }}
{{- end }}
{{/*
Validate duration field, return validated duration, 0s when provided duration is empty.
*/}}
{{- define "validateDuration" }}
{{- if . }}
{{- $_ := now | mustDateModify (toString .) }}
{{- . }}
{{- else -}}
0s
{{- end }}
{{- end }}

142
system/cilium/charts/cilium/templates/cilium-agent/clusterrole.yaml Normal file
View File

@@ -0,0 +1,142 @@
{{- if and .Values.agent (not .Values.preflight.enabled) }}
{{- /*
Keep file in sync with cilium-preflight/clusterrole.yaml
*/ -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cilium
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- services
- pods
- endpoints
- nodes
verbs:
- get
- list
- watch
{{- if .Values.annotateK8sNode }}
- apiGroups:
- ""
resources:
- nodes/status
verbs:
# To annotate the k8s node with Cilium's metadata
- patch
{{- end }}
{{- if .Values.l2announcements.enabled }}
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
- list
- delete
{{- end }}
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
# This is used when validating policies in preflight. This will need to stay
# until we figure out how to avoid "get" inside the preflight, and then
# should be removed ideally.
- get
{{- if eq "k8s" .Values.tls.secretsBackend }}
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
{{- end }}
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools
- ciliumbgppeeringpolicies
- ciliumclusterwideenvoyconfigs
- ciliumclusterwidenetworkpolicies
- ciliumegressgatewaypolicies
- ciliumendpoints
- ciliumendpointslices
- ciliumenvoyconfigs
- ciliumidentities
- ciliumlocalredirectpolicies
- ciliumnetworkpolicies
- ciliumnodes
- ciliumnodeconfigs
- ciliumcidrgroups
- ciliuml2announcementpolicies
- ciliumpodippools
verbs:
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumidentities
- ciliumendpoints
- ciliumnodes
verbs:
- create
- apiGroups:
- cilium.io
# To synchronize garbage collection of such resources
resources:
- ciliumidentities
verbs:
- update
- apiGroups:
- cilium.io
resources:
- ciliumendpoints
verbs:
- delete
- get
- apiGroups:
- cilium.io
resources:
- ciliumnodes
- ciliumnodes/status
verbs:
- get
- update
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies/status
- ciliumendpoints/status
- ciliumendpoints
- ciliuml2announcementpolicies/status
verbs:
- patch
{{- end }}

16
system/cilium/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cilium
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cilium
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccounts.cilium.name | quote }}
namespace: {{ .Release.Namespace }}
{{- end }}

933
system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml Normal file
View File

@@ -0,0 +1,933 @@
{{- if and .Values.agent (not .Values.preflight.enabled) }}
{{- /* Default values with backwards compatibility */ -}}
{{- $defaultKeepDeprecatedProbes := true -}}
{{- /* Default values when 1.8 was initially deployed */ -}}
{{- if semverCompare ">=1.8" (default "1.8" .Values.upgradeCompatibility) -}}
{{- $defaultKeepDeprecatedProbes = false -}}
{{- end -}}
{{- $kubeProxyReplacement := (coalesce .Values.kubeProxyReplacement "false") -}}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cilium
namespace: {{ .Release.Namespace }}
labels:
k8s-app: cilium
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-agent
{{- if .Values.keepDeprecatedLabels }}
kubernetes.io/cluster-service: "true"
{{- if and .Values.gke.enabled (eq .Release.Namespace "kube-system" ) }}
{{- fail "Invalid configuration: Installing Cilium on GKE with 'kubernetes.io/cluster-service' labels on 'kube-system' namespace causes Cilium DaemonSet to be removed by GKE. Either install Cilium on a different Namespace or install with '--set keepDeprecatedLabels=false'" }}
{{- end }}
{{- end }}
spec:
selector:
matchLabels:
k8s-app: cilium
{{- if .Values.keepDeprecatedLabels }}
kubernetes.io/cluster-service: "true"
{{- end }}
{{- with .Values.updateStrategy }}
updateStrategy:
{{- toYaml . | trim | nindent 4 }}
{{- end }}
template:
metadata:
annotations:
{{- if and .Values.prometheus.enabled (not .Values.prometheus.serviceMonitor.enabled) }}
prometheus.io/port: "{{ .Values.prometheus.port }}"
prometheus.io/scrape: "true"
{{- end }}
{{- if .Values.rollOutCiliumPods }}
# ensure pods roll when configmap updates
cilium.io/cilium-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-configmap.yaml") . | sha256sum | quote }}
{{- end }}
{{- if not .Values.securityContext.privileged }}
# Set app AppArmor's profile to "unconfined". The value of this annotation
# can be modified as long users know which profiles they have available
# in AppArmor.
container.apparmor.security.beta.kubernetes.io/cilium-agent: "unconfined"
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: "unconfined"
{{- if .Values.cgroup.autoMount.enabled }}
container.apparmor.security.beta.kubernetes.io/mount-cgroup: "unconfined"
container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: "unconfined"
{{- end }}
{{- end }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
k8s-app: cilium
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
{{- if .Values.keepDeprecatedLabels }}
kubernetes.io/cluster-service: "true"
{{- end }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: cilium-agent
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.sleepAfterInit }}
command:
- /bin/bash
- -c
- --
args:
- |
while true; do
sleep 30;
done
livenessProbe:
exec:
command:
- "true"
readinessProbe:
exec:
command:
- "true"
{{- else }}
command:
# Workaround: https://github.com/cilium/cilium/pull/27561
- /bin/sh
- -c
- |
rm -rf /run/cilium/cgroupv2
ln -sf /sys/fs/cgroup /run/cilium/cgroupv2
exec cilium-agent --config-dir=/tmp/cilium/config-map
{{- with .Values.extraArgs }}
{{- toYaml . | trim | nindent 8 }}
{{- end }}
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }}
startupProbe:
httpGet:
host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
path: /healthz
port: {{ .Values.healthPort }}
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
periodSeconds: {{ .Values.startupProbe.periodSeconds }}
successThreshold: 1
{{- end }}
livenessProbe:
{{- if or .Values.keepDeprecatedProbes $defaultKeepDeprecatedProbes }}
exec:
command:
- cilium
- status
- --brief
{{- else }}
httpGet:
host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
path: /healthz
port: {{ .Values.healthPort }}
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
{{- end }}
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
# The initial delay for the liveness probe is intentionally large to
# avoid an endless kill & restart cycle if in the event that the initial
# bootstrapping takes longer than expected.
# Starting from Kubernetes 1.20, we are using startupProbe instead
# of this field.
initialDelaySeconds: 120
{{- end }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
successThreshold: 1
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
timeoutSeconds: 5
readinessProbe:
{{- if or .Values.keepDeprecatedProbes $defaultKeepDeprecatedProbes }}
exec:
command:
- cilium
- status
- --brief
{{- else }}
httpGet:
host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
path: /healthz
port: {{ .Values.healthPort }}
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
{{- end }}
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
initialDelaySeconds: 5
{{- end }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
successThreshold: 1
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
timeoutSeconds: 5
{{- end }}
env:
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CILIUM_CLUSTERMESH_CONFIG
value: /var/lib/cilium/clustermesh/
{{- if .Values.k8sServiceHost }}
- name: KUBERNETES_SERVICE_HOST
value: {{ .Values.k8sServiceHost | quote }}
{{- end }}
{{- if .Values.k8sServicePort }}
- name: KUBERNETES_SERVICE_PORT
value: {{ .Values.k8sServicePort | quote }}
{{- end }}
{{- with .Values.extraEnv }}
{{- toYaml . | trim | nindent 8 }}
{{- end }}
{{- if .Values.cni.install }}
lifecycle:
{{- if ne .Values.cni.chainingMode "aws-cni" }}
postStart:
exec:
command:
- "bash"
- "-c"
- |
{{- tpl (.Files.Get "files/agent/poststart-eni.bash") . | nindent 20 }}
{{- end }}
preStop:
exec:
command:
- /cni-uninstall.sh
{{- end }}
{{- with .Values.resources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
{{- if or .Values.prometheus.enabled .Values.hubble.metrics.enabled }}
ports:
- name: peer-service
containerPort: {{ .Values.hubble.peerService.targetPort }}
hostPort: {{ .Values.hubble.peerService.targetPort }}
protocol: TCP
{{- if .Values.prometheus.enabled }}
- name: prometheus
containerPort: {{ .Values.prometheus.port }}
hostPort: {{ .Values.prometheus.port }}
protocol: TCP
{{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled (not .Values.envoy.enabled) }}
- name: envoy-metrics
containerPort: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
hostPort: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
protocol: TCP
{{- end }}
{{- end }}
{{- if .Values.hubble.metrics.enabled }}
- name: hubble-metrics
containerPort: {{ .Values.hubble.metrics.port }}
hostPort: {{ .Values.hubble.metrics.port }}
protocol: TCP
{{- end }}
{{- end }}
securityContext:
{{- if .Values.securityContext.privileged }}
privileged: true
{{- else }}
seLinuxOptions:
{{- with .Values.securityContext.seLinuxOptions }}
{{- toYaml . | nindent 12 }}
{{- end }}
capabilities:
add:
{{- with .Values.securityContext.capabilities.ciliumAgent }}
{{- toYaml . | nindent 14 }}
{{- end }}
drop:
- ALL
{{- end }}
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
{{- if .Values.authentication.mutual.spire.enabled }}
- name: spire-agent-socket
mountPath: {{ dir .Values.authentication.mutual.spire.adminSocketPath }}
readOnly: false
{{- end }}
{{- if .Values.envoy.enabled }}
- name: envoy-sockets
mountPath: /var/run/cilium/envoy/sockets
readOnly: false
{{- end }}
{{- if not .Values.securityContext.privileged }}
# Unprivileged containers need to mount /proc/sys/net from the host
# to have write access
- mountPath: /host/proc/sys/net
name: host-proc-sys-net
# Unprivileged containers need to mount /proc/sys/kernel from the host
# to have write access
- mountPath: /host/proc/sys/kernel
name: host-proc-sys-kernel
{{- end}}
{{- /* CRI-O already mounts the BPF filesystem */ -}}
{{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }}
- name: bpf-maps
mountPath: /sys/fs/bpf
{{- if .Values.securityContext.privileged }}
mountPropagation: Bidirectional
{{- else }}
# Unprivileged containers can't set mount propagation to bidirectional
# in this case we will mount the bpf fs from an init container that
# is privileged and set the mount propagation from host to container
# in Cilium.
mountPropagation: HostToContainer
{{- end}}
{{- end }}
{{- if not (contains "/run/cilium/cgroupv2" .Values.cgroup.hostRoot) }}
# Check for duplicate mounts before mounting
- name: cilium-cgroup
mountPath: {{ .Values.cgroup.hostRoot }}
{{- end}}
- name: cilium-run
mountPath: /var/run/cilium
- name: etc-cni-netd
mountPath: {{ .Values.cni.hostConfDirMountPath }}
{{- if .Values.etcd.enabled }}
- name: etcd-config-path
mountPath: /var/lib/etcd-config
readOnly: true
{{- if or .Values.etcd.ssl .Values.etcd.managed }}
- name: etcd-secrets
mountPath: /var/lib/etcd-secrets
readOnly: true
{{- end }}
{{- end }}
- name: clustermesh-secrets
mountPath: /var/lib/cilium/clustermesh
readOnly: true
{{- if .Values.ipMasqAgent.enabled }}
- name: ip-masq-agent
mountPath: /etc/config
readOnly: true
{{- end }}
{{- if .Values.cni.configMap }}
- name: cni-configuration
mountPath: {{ .Values.cni.confFileMountPath }}
readOnly: true
{{- end }}
# Needed to be able to load kernel modules
- name: lib-modules
mountPath: /lib/modules
readOnly: true
- name: xtables-lock
mountPath: /run/xtables.lock
{{- if and .Values.encryption.enabled (eq .Values.encryption.type "ipsec") }}
- name: cilium-ipsec-secrets
mountPath: {{ .Values.encryption.ipsec.mountPath | default .Values.encryption.mountPath }}
{{- end }}
{{- if .Values.kubeConfigPath }}
- name: kube-config
mountPath: {{ .Values.kubeConfigPath }}
readOnly: true
{{- end }}
{{- if .Values.bgp.enabled }}
- name: bgp-config-path
mountPath: /var/lib/cilium/bgp
readOnly: true
{{- end }}
{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (hasKey .Values.hubble "listenAddress") }}
- name: hubble-tls
mountPath: /var/lib/cilium/tls/hubble
readOnly: true
{{- end }}
- name: tmp
mountPath: /tmp
{{- range .Values.extraHostPathMounts }}
- name: {{ .name }}
mountPath: {{ .mountPath }}
readOnly: {{ .readOnly }}
{{- if .mountPropagation }}
mountPropagation: {{ .mountPropagation }}
{{- end }}
{{- end }}
{{- with .Values.extraVolumeMounts }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.monitor.enabled }}
- name: cilium-monitor
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- /bin/bash
- -c
- --
args:
- |-
for i in {1..5}; do \
[ -S /var/run/cilium/monitor1_2.sock ] && break || sleep 10;\
done; \
cilium monitor
{{- range $type := .Values.monitor.eventTypes -}}
{{ " " }}--type={{ $type }}
{{- end }}
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- name: cilium-run
mountPath: /var/run/cilium
{{- with .Values.monitor.resources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
{{- end }}
{{- if .Values.extraContainers }}
{{- toYaml .Values.extraContainers | nindent 6 }}
{{- end }}
initContainers:
- name: config
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- cilium
- build-config
{{- if (not (kindIs "invalid" .Values.daemon.configSources)) }}
- "--source={{.Values.daemon.configSources}}"
{{- end }}
{{- if (not (kindIs "invalid" .Values.daemon.allowedConfigOverrides)) }}
- "--allow-config-keys={{.Values.daemon.allowedConfigOverrides}}"
{{- end }}
{{- if (not (kindIs "invalid" .Values.daemon.blockedConfigOverrides)) }}
- "--deny-config-keys={{.Values.daemon.blockedConfigOverrides}}"
{{- end }}
env:
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
{{- if .Values.k8sServiceHost }}
- name: KUBERNETES_SERVICE_HOST
value: {{ .Values.k8sServiceHost | quote }}
{{- end }}
{{- if .Values.k8sServicePort }}
- name: KUBERNETES_SERVICE_PORT
value: {{ .Values.k8sServicePort | quote }}
{{- end }}
{{- with .Values.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
volumeMounts:
- name: tmp
mountPath: /tmp
terminationMessagePolicy: FallbackToLogsOnError
{{- if .Values.cgroup.autoMount.enabled }}
# Required to mount cgroup2 filesystem on the underlying Kubernetes node.
# We use nsenter command with host's cgroup and mount namespaces enabled.
- name: mount-cgroup
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: CGROUP_ROOT
value: {{ .Values.cgroup.hostRoot }}
- name: BIN_PATH
value: {{ .Values.cni.binPath }}
{{- with .Values.cgroup.autoMount.resources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
command:
- sh
- -ec
# The statically linked Go program binary is invoked to avoid any
# dependency on utilities like sh and mount that can be missing on certain
# distros installed on the underlying host. Copy the binary to the
# same directory where we install cilium cni plugin so that exec permissions
# are available.
- |
cp /usr/bin/cilium-mount /hostbin/cilium-mount;
nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT;
rm /hostbin/cilium-mount
volumeMounts:
- name: hostproc
mountPath: /hostproc
- name: cni-path
mountPath: /hostbin
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
{{- if .Values.securityContext.privileged }}
privileged: true
{{- else }}
seLinuxOptions:
{{- with .Values.securityContext.seLinuxOptions }}
{{- toYaml . | nindent 12 }}
{{- end }}
capabilities:
add:
{{- with .Values.securityContext.capabilities.mountCgroup }}
{{- toYaml . | nindent 14 }}
{{- end }}
drop:
- ALL
{{- end}}
- name: apply-sysctl-overwrites
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: BIN_PATH
value: {{ .Values.cni.binPath }}
command:
- sh
- -ec
# The statically linked Go program binary is invoked to avoid any
# dependency on utilities like sh that can be missing on certain
# distros installed on the underlying host. Copy the binary to the
# same directory where we install cilium cni plugin so that exec permissions
# are available.
- |
cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";
rm /hostbin/cilium-sysctlfix
volumeMounts:
- name: hostproc
mountPath: /hostproc
- name: cni-path
mountPath: /hostbin
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
{{- if .Values.securityContext.privileged }}
privileged: true
{{- else }}
seLinuxOptions:
{{- with .Values.securityContext.seLinuxOptions }}
{{- toYaml . | nindent 12 }}
{{- end }}
capabilities:
add:
{{- with .Values.securityContext.capabilities.applySysctlOverwrites }}
{{- toYaml . | nindent 14 }}
{{- end }}
drop:
- ALL
{{- end}}
{{- end }}
{{- if and .Values.bpf.autoMount.enabled (not .Values.securityContext.privileged) }}
# Mount the bpf fs if it is not mounted. We will perform this task
# from a privileged container because the mount propagation bidirectional
# only works from privileged containers.
- name: mount-bpf-fs
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf'
command:
- /bin/bash
- -c
- --
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
privileged: true
{{- /* CRI-O already mounts the BPF filesystem */ -}}
{{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }}
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
{{- end }}
{{- end }}
{{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }}
- name: wait-for-node-init
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- sh
- -c
- |
until test -s {{ (print "/tmp/cilium-bootstrap.d/" (.Values.nodeinit.bootstrapFile | base)) | quote }}; do
echo "Waiting on node-init to run...";
sleep 1;
done
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- name: cilium-bootstrap-file-dir
mountPath: "/tmp/cilium-bootstrap.d"
{{- end }}
- name: clean-cilium-state
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- /init-container.sh
env:
- name: CILIUM_ALL_STATE
valueFrom:
configMapKeyRef:
name: cilium-config
key: clean-cilium-state
optional: true
- name: CILIUM_BPF_STATE
valueFrom:
configMapKeyRef:
name: cilium-config
key: clean-cilium-bpf-state
optional: true
{{- if .Values.k8sServiceHost }}
- name: KUBERNETES_SERVICE_HOST
value: {{ .Values.k8sServiceHost | quote }}
{{- end }}
{{- if .Values.k8sServicePort }}
- name: KUBERNETES_SERVICE_PORT
value: {{ .Values.k8sServicePort | quote }}
{{- end }}
{{- with .Values.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
{{- if .Values.securityContext.privileged }}
privileged: true
{{- else }}
seLinuxOptions:
{{- with .Values.securityContext.seLinuxOptions }}
{{- toYaml . | nindent 12 }}
{{- end }}
capabilities:
add:
{{- with .Values.securityContext.capabilities.cleanCiliumState }}
{{- toYaml . | nindent 14 }}
{{- end }}
drop:
- ALL
{{- end}}
volumeMounts:
{{- /* CRI-O already mounts the BPF filesystem */ -}}
{{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }}
- name: bpf-maps
mountPath: /sys/fs/bpf
{{- end }}
# Required to mount cgroup filesystem from the host to cilium agent pod
- name: cilium-cgroup
mountPath: {{ .Values.cgroup.hostRoot }}
mountPropagation: HostToContainer
- name: cilium-run
mountPath: /var/run/cilium
{{- with .Values.nodeinit.resources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
{{- if and .Values.waitForKubeProxy (ne $kubeProxyReplacement "strict") }}
- name: wait-for-kube-proxy
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
privileged: true
command:
- bash
- -c
- |
while true
do
if iptables-nft-save -t mangle | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-PROXY-CANARY)'; then
echo "Found KUBE-IPTABLES-HINT or KUBE-PROXY-CANARY iptables rule in 'iptables-nft-save -t mangle'"
exit 0
fi
if ip6tables-nft-save -t mangle | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-PROXY-CANARY)'; then
echo "Found KUBE-IPTABLES-HINT or KUBE-PROXY-CANARY iptables rule in 'ip6tables-nft-save -t mangle'"
exit 0
fi
if iptables-legacy-save | grep -E '^:KUBE-PROXY-CANARY'; then
echo "Found KUBE-PROXY-CANARY iptables rule in 'iptables-legacy-save"
exit 0
fi
if ip6tables-legacy-save | grep -E '^:KUBE-PROXY-CANARY'; then
echo "KUBE-PROXY-CANARY iptables rule in 'ip6tables-legacy-save'"
exit 0
fi
echo "Waiting for kube-proxy to create iptables rules...";
sleep 1;
done
terminationMessagePolicy: FallbackToLogsOnError
{{- end }} # wait-for-kube-proxy
{{- if .Values.cni.install }}
# Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent
- name: install-cni-binaries
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- "/install-plugin.sh"
resources:
requests:
cpu: 100m
memory: 10Mi
securityContext:
{{- if .Values.securityContext.privileged }}
privileged: true
{{- else }}
seLinuxOptions:
{{- with .Values.securityContext.seLinuxOptions }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
capabilities:
drop:
- ALL
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- name: cni-path
mountPath: /host/opt/cni/bin
{{- end }} # .Values.cni.install
restartPolicy: Always
priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }}
serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }}
serviceAccountName: {{ .Values.serviceAccounts.cilium.name | quote }}
automountServiceAccountToken: {{ .Values.serviceAccounts.cilium.automount }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
hostNetwork: true
{{- if and .Values.etcd.managed (not .Values.etcd.k8sService) }}
# In managed etcd mode, Cilium must be able to resolve the DNS name of
# the etcd service
dnsPolicy: ClusterFirstWithHostNet
{{- else if .Values.dnsPolicy }}
dnsPolicy: {{ .Values.dnsPolicy }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | trim | nindent 8 }}
{{- end }}
{{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.config.enabled (not .Values.clustermesh.apiserver.kvstoremesh.enabled) }}
hostAliases:
{{- range $cluster := .Values.clustermesh.config.clusters }}
{{- range $ip := $cluster.ips }}
- ip: {{ $ip }}
hostnames: [ "{{ $cluster.name }}.{{ $.Values.clustermesh.config.domain }}" ]
{{- end }}
{{- end }}
{{- end }}
volumes:
# For sharing configuration between the "config" initContainer and the agent
- name: tmp
emptyDir: {}
# To keep state between restarts / upgrades
- name: cilium-run
hostPath:
path: {{ .Values.daemon.runPath }}
type: DirectoryOrCreate
{{- /* CRI-O already mounts the BPF filesystem */ -}}
{{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }}
# To keep state between restarts / upgrades for bpf maps
- name: bpf-maps
hostPath:
path: /sys/fs/bpf
type: DirectoryOrCreate
{{- end }}
{{- if .Values.cgroup.autoMount.enabled }}
# To mount cgroup2 filesystem on the host
- name: hostproc
hostPath:
path: /proc
type: Directory
{{- end }}
# To keep state between restarts / upgrades for cgroup2 filesystem
- name: cilium-cgroup
hostPath:
path: {{ .Values.cgroup.hostRoot}}
type: DirectoryOrCreate
# To install cilium cni plugin in the host
- name: cni-path
hostPath:
path: {{ .Values.cni.binPath }}
type: DirectoryOrCreate
# To install cilium cni configuration in the host
- name: etc-cni-netd
hostPath:
path: {{ .Values.cni.confPath }}
type: DirectoryOrCreate
# To be able to load kernel modules
- name: lib-modules
hostPath:
path: /lib/modules
# To access iptables concurrently with other processes (e.g. kube-proxy)
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
{{- if .Values.authentication.mutual.spire.enabled }}
- name: spire-agent-socket
hostPath:
path: {{ dir .Values.authentication.mutual.spire.adminSocketPath }}
type: DirectoryOrCreate
{{- end }}
{{- if .Values.envoy.enabled }}
# Sharing socket with Cilium Envoy on the same node by using a host path
- name: envoy-sockets
hostPath:
path: "{{ .Values.daemon.runPath }}/envoy/sockets"
type: DirectoryOrCreate
{{- end }}
{{- if .Values.kubeConfigPath }}
- name: kube-config
hostPath:
path: {{ .Values.kubeConfigPath }}
type: FileOrCreate
{{- end }}
{{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }}
- name: cilium-bootstrap-file-dir
hostPath:
path: {{ .Values.nodeinit.bootstrapFile | dir | quote }}
type: DirectoryOrCreate
{{- end }}
{{- if .Values.etcd.enabled }}
# To read the etcd config stored in config maps
- name: etcd-config-path
configMap:
name: cilium-config
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
items:
- key: etcd-config
path: etcd.config
# To read the k8s etcd secrets in case the user might want to use TLS
{{- if or .Values.etcd.ssl .Values.etcd.managed }}
- name: etcd-secrets
secret:
secretName: cilium-etcd-secrets
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
optional: true
{{- end }}
{{- end }}
# To read the clustermesh configuration
- name: clustermesh-secrets
projected:
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
sources:
- secret:
name: cilium-clustermesh
optional: true
# note: items are not explicitly listed here, since the entries of this secret
# depend on the peers configured, and that would cause a restart of all agents
# at every addition/removal. Leaving the field empty makes each secret entry
# to be automatically projected into the volume as a file whose name is the key.
- secret:
name: clustermesh-apiserver-remote-cert
optional: true
items:
- key: tls.key
path: common-etcd-client.key
- key: tls.crt
path: common-etcd-client.crt
{{- if not .Values.tls.caBundle.enabled }}
- key: ca.crt
path: common-etcd-client-ca.crt
{{- else }}
- {{ .Values.tls.caBundle.useSecret | ternary "secret" "configMap" }}:
name: {{ .Values.tls.caBundle.name }}
optional: true
items:
- key: {{ .Values.tls.caBundle.key }}
path: common-etcd-client-ca.crt
{{- end }}
{{- if and .Values.ipMasqAgent .Values.ipMasqAgent.enabled }}
- name: ip-masq-agent
configMap:
name: ip-masq-agent
optional: true
items:
- key: config
path: ip-masq-agent
{{- end }}
{{- if and .Values.encryption.enabled (eq .Values.encryption.type "ipsec") }}
- name: cilium-ipsec-secrets
secret:
secretName: {{ .Values.encryption.ipsec.secretName | default .Values.encryption.secretName }}
{{- end }}
{{- if .Values.cni.configMap }}
- name: cni-configuration
configMap:
name: {{ .Values.cni.configMap }}
{{- end }}
{{- if .Values.bgp.enabled }}
- name: bgp-config-path
configMap:
name: bgp-config
{{- end }}
{{- if not .Values.securityContext.privileged }}
- name: host-proc-sys-net
hostPath:
path: /proc/sys/net
type: Directory
- name: host-proc-sys-kernel
hostPath:
path: /proc/sys/kernel
type: Directory
{{- end }}
{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (hasKey .Values.hubble "listenAddress") }}
- name: hubble-tls
projected:
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
sources:
- secret:
name: hubble-server-certs
optional: true
items:
- key: tls.crt
path: server.crt
- key: tls.key
path: server.key
{{- if not .Values.tls.caBundle.enabled }}
- key: ca.crt
path: client-ca.crt
{{- else }}
- {{ .Values.tls.caBundle.useSecret | ternary "secret" "configMap" }}:
name: {{ .Values.tls.caBundle.name }}
optional: true
items:
- key: {{ .Values.tls.caBundle.key }}
path: client-ca.crt
{{- end }}
{{- end }}
{{- range .Values.extraHostPathMounts }}
- name: {{ .name }}
hostPath:
path: {{ .hostPath }}
{{- if .hostPathType }}
type: {{ .hostPathType }}
{{- end }}
{{- end }}
{{- with .Values.extraVolumes }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}

25
system/cilium/charts/cilium/templates/cilium-agent/dashboards-configmap.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if .Values.dashboards.enabled }}
{{- $files := .Files.Glob "files/cilium-agent/dashboards/*.json" }}
{{- range $path, $fileContents := $files }}
{{- $dashboardName := regexReplaceAll "(^.*/)(.*)\\.json$" $path "${2}" }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $dashboardName | trunc 63 | trimSuffix "-" }}
namespace: {{ $.Values.dashboards.namespace | default $.Release.Namespace }}
labels:
k8s-app: cilium
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
{{- if $.Values.dashboards.label }}
{{ $.Values.dashboards.label }}: {{ ternary $.Values.dashboards.labelValue "1" (not (empty $.Values.dashboards.labelValue)) | quote }}
{{- end }}
{{- with $.Values.dashboards.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
{{ $dashboardName }}.json: {{ $.Files.Get $path | toJson }}
{{- end }}
{{- end }}

80
system/cilium/charts/cilium/templates/cilium-agent/role.yaml Normal file
View File

@@ -0,0 +1,80 @@
{{- if and .Values.agent (not .Values.preflight.enabled) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cilium-config-agent
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
{{- end }}
{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create .Values.ingressController.enabled .Values.ingressController.secretsNamespace.name }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cilium-ingress-secrets
namespace: {{ .Values.ingressController.secretsNamespace.name | quote }}
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
{{- end }}
{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create .Values.gatewayAPI.enabled .Values.gatewayAPI.secretsNamespace.name }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cilium-gateway-secrets
namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }}
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
{{- end}}
{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create .Values.envoyConfig.enabled .Values.envoyConfig.secretsNamespace.name }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cilium-envoy-config-secrets
namespace: {{ .Values.envoyConfig.secretsNamespace.name | quote }}
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
{{- end}}

75
system/cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml Normal file
View File

@@ -0,0 +1,75 @@
{{- if and .Values.agent (not .Values.preflight.enabled) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cilium-config-agent
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cilium-config-agent
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccounts.cilium.name | quote }}
namespace: {{ .Release.Namespace }}
{{- end}}
{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create .Values.ingressController.enabled .Values.ingressController.secretsNamespace.name}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cilium-secrets
namespace: {{ .Values.ingressController.secretsNamespace.name | quote }}
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cilium-ingress-secrets
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccounts.cilium.name | quote }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create .Values.gatewayAPI.enabled .Values.gatewayAPI.secretsNamespace.name}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cilium-gateway-secrets
namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }}
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cilium-gateway-secrets
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccounts.cilium.name | quote }}
namespace: {{ .Release.Namespace }}
{{- end}}
{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create .Values.envoyConfig.enabled .Values.envoyConfig.secretsNamespace.name}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cilium-envoy-config-secrets
namespace: {{ .Values.envoyConfig.secretsNamespace.name | quote }}
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cilium-envoy-config-secrets
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccounts.cilium.name | quote }}
namespace: {{ .Release.Namespace }}
{{- end}}

52
system/cilium/charts/cilium/templates/cilium-agent/service.yaml Normal file
View File

@@ -0,0 +1,52 @@
{{- if and .Values.agent (not .Values.preflight.enabled) .Values.prometheus.enabled }}
{{- if .Values.prometheus.serviceMonitor.enabled }}
apiVersion: v1
kind: Service
metadata:
name: cilium-agent
namespace: {{ .Release.Namespace }}
labels:
k8s-app: cilium
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
spec:
clusterIP: None
type: ClusterIP
selector:
k8s-app: cilium
ports:
- name: metrics
port: {{ .Values.prometheus.port }}
protocol: TCP
targetPort: prometheus
{{- if not .Values.envoy.enabled }}
- name: envoy-metrics
port: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
protocol: TCP
targetPort: envoy-metrics
{{- end }}
{{- else if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled (not .Values.envoy.enabled) }}
apiVersion: v1
kind: Service
metadata:
name: cilium-agent
namespace: {{ .Release.Namespace }}
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port | quote }}
labels:
k8s-app: cilium
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
spec:
clusterIP: None
type: ClusterIP
selector:
k8s-app: cilium
ports:
- name: envoy-metrics
port: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
protocol: TCP
targetPort: envoy-metrics
{{- end }}
{{- end }}

11
system/cilium/charts/cilium/templates/cilium-agent/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,11 @@
{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccounts.cilium.name | quote }}
namespace: {{ .Release.Namespace }}
{{- if .Values.serviceAccounts.cilium.annotations }}
annotations:
{{- toYaml .Values.serviceAccounts.cilium.annotations | nindent 4 }}
{{- end }}
{{- end }}

39
system/cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,39 @@
{{- if and .Values.agent (not .Values.preflight.enabled) .Values.prometheus.enabled .Values.prometheus.serviceMonitor.enabled }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: cilium-agent
namespace: {{ .Values.prometheus.serviceMonitor.namespace | default .Release.Namespace }}
labels:
app.kubernetes.io/part-of: cilium
{{- with .Values.prometheus.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.prometheus.serviceMonitor.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
k8s-app: cilium
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
endpoints:
- port: metrics
interval: {{ .Values.prometheus.serviceMonitor.interval | quote }}
honorLabels: true
path: /metrics
{{- with .Values.prometheus.serviceMonitor.relabelings }}
relabelings:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.prometheus.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 4 }}
{{- end }}
targetLabels:
- k8s-app
{{- end }}

11
system/cilium/charts/cilium/templates/cilium-ca-bundle-configmap.yaml Normal file
View File

@@ -0,0 +1,11 @@
{{- if and .Values.tls.caBundle.enabled .Values.tls.caBundle.content -}}
---
apiVersion: v1
kind: {{ .Values.tls.caBundle.useSecret | ternary "Secret" "ConfigMap" }}
metadata:
name: {{ .Values.tls.caBundle.name }}
namespace: {{ .Release.Namespace }}
{{ .Values.tls.caBundle.useSecret | ternary "stringData" "data" }}:
{{ .Values.tls.caBundle.key }}: |
{{- .Values.tls.caBundle.content | nindent 4 }}
{{- end }}

17
system/cilium/charts/cilium/templates/cilium-ca-secret.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if or
(and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") (not .Values.clustermesh.apiserver.tls.ca.cert))
(and (or .Values.agent .Values.hubble.relay.enabled .Values.hubble.ui.enabled) .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm"))
(and .Values.tls.ca.key .Values.tls.ca.cert)
-}}
{{- $_ := include "cilium.ca.setup" . -}}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .commonCASecretName }}
namespace: {{ .Release.Namespace }}
data:
ca.crt: {{ .commonCA.Cert | b64enc }}
ca.key: {{ .commonCA.Key | b64enc }}
{{- end }}

1169
system/cilium/charts/cilium/templates/cilium-configmap.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

12
system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if and .Values.envoy.enabled (not .Values.preflight.enabled) }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: cilium-envoy-config
namespace: {{ .Release.Namespace }}
data:
{{- (tpl (.Files.Glob "files/cilium-envoy/configmap/bootstrap-config.json").AsConfig .) | nindent 2 }}
{{- end }}

254
system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml Normal file
View File

@@ -0,0 +1,254 @@
{{- if and .Values.envoy.enabled (not .Values.preflight.enabled) }}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cilium-envoy
namespace: {{ .Release.Namespace }}
labels:
k8s-app: cilium-envoy
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-envoy
name: cilium-envoy
spec:
selector:
matchLabels:
k8s-app: cilium-envoy
{{- with .Values.envoy.updateStrategy }}
updateStrategy:
{{- toYaml . | trim | nindent 4 }}
{{- end }}
template:
metadata:
annotations:
{{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled (not .Values.envoy.prometheus.serviceMonitor.enabled) }}
prometheus.io/port: "{{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}"
prometheus.io/scrape: "true"
{{- end }}
{{- if .Values.envoy.rollOutPods }}
# ensure pods roll when configmap updates
cilium.io/cilium-envoy-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-envoy/configmap.yaml") . | sha256sum | quote }}
{{- end }}
{{- if not .Values.envoy.securityContext.privileged }}
# Set app AppArmor's profile to "unconfined". The value of this annotation
# can be modified as long users know which profiles they have available
# in AppArmor.
container.apparmor.security.beta.kubernetes.io/cilium-envoy: "unconfined"
{{- end }}
{{- with .Values.envoy.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
k8s-app: cilium-envoy
name: cilium-envoy
app.kubernetes.io/name: cilium-envoy
app.kubernetes.io/part-of: cilium
{{- with .Values.envoy.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.envoy.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: cilium-envoy
image: {{ include "cilium.image" .Values.envoy.image | quote }}
imagePullPolicy: {{ .Values.envoy.image.pullPolicy }}
command:
- /usr/bin/cilium-envoy
args:
- '-c /var/run/cilium/envoy/bootstrap-config.json'
- '--base-id 0'
{{- if and (hasKey .Values.debug "verbose") (.Values.debug.verbose) (has "envoy" ( splitList " " .Values.debug.verbose )) }}
- '--log-level trace'
{{- else if and (.Values.debug.enabled) (hasKey .Values.debug "verbose") (.Values.debug.verbose) (has "flow" ( splitList " " .Values.debug.verbose )) }}
- '--log-level debug'
{{- else }}
- '--log-level info'
{{- end }}
- '--log-format {{ .Values.envoy.log.format }}'
{{- if .Values.envoy.log.path }}
- '--log-path {{ .Values.envoy.log.path }}'
{{- end }}
{{- with .Values.envoy.extraArgs }}
{{- toYaml . | trim | nindent 8 }}
{{- end }}
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }}
startupProbe:
httpGet:
host: "localhost"
path: /healthz
port: {{ .Values.envoy.healthPort }}
scheme: HTTP
failureThreshold: {{ .Values.envoy.startupProbe.failureThreshold }}
periodSeconds: {{ .Values.envoy.startupProbe.periodSeconds }}
successThreshold: 1
{{- end }}
livenessProbe:
httpGet:
host: "localhost"
path: /healthz
port: {{ .Values.envoy.healthPort }}
scheme: HTTP
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
# The initial delay for the liveness probe is intentionally large to
# avoid an endless kill & restart cycle if in the event that the initial
# bootstrapping takes longer than expected.
# Starting from Kubernetes 1.20, we are using startupProbe instead
# of this field.
initialDelaySeconds: 120
{{- end }}
periodSeconds: {{ .Values.envoy.livenessProbe.periodSeconds }}
successThreshold: 1
failureThreshold: {{ .Values.envoy.livenessProbe.failureThreshold }}
timeoutSeconds: 5
readinessProbe:
httpGet:
host: "localhost"
path: /healthz
port: {{ .Values.envoy.healthPort }}
scheme: HTTP
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
initialDelaySeconds: 5
{{- end }}
periodSeconds: {{ .Values.envoy.readinessProbe.periodSeconds }}
successThreshold: 1
failureThreshold: {{ .Values.envoy.readinessProbe.failureThreshold }}
timeoutSeconds: 5
env:
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
{{- if .Values.k8sServiceHost }}
- name: KUBERNETES_SERVICE_HOST
value: {{ .Values.k8sServiceHost | quote }}
{{- end }}
{{- if .Values.k8sServicePort }}
- name: KUBERNETES_SERVICE_PORT
value: {{ .Values.k8sServicePort | quote }}
{{- end }}
{{- with .Values.envoy.extraEnv }}
{{- toYaml . | trim | nindent 8 }}
{{- end }}
{{- with .Values.envoy.resources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
{{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled }}
ports:
- name: envoy-metrics
containerPort: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
hostPort: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
protocol: TCP
{{- end }}
securityContext:
{{- if .Values.envoy.securityContext.privileged }}
privileged: true
{{- else }}
seLinuxOptions:
{{- with .Values.envoy.securityContext.seLinuxOptions }}
{{- toYaml . | nindent 12 }}
{{- end }}
capabilities:
add:
{{- with .Values.envoy.securityContext.capabilities.envoy }}
{{- toYaml . | nindent 14 }}
{{- end }}
drop:
- ALL
{{- end }}
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- name: envoy-sockets
mountPath: /var/run/cilium/envoy/sockets
readOnly: false
- name: envoy-config
mountPath: /var/run/cilium/envoy/
readOnly: true
{{- if .Values.bpf.autoMount.enabled }}
- name: bpf-maps
mountPath: /sys/fs/bpf
mountPropagation: HostToContainer
{{- end }}
{{- range .Values.envoy.extraHostPathMounts }}
- name: {{ .name }}
mountPath: {{ .mountPath }}
readOnly: {{ .readOnly }}
{{- if .mountPropagation }}
mountPropagation: {{ .mountPropagation }}
{{- end }}
{{- end }}
{{- with .Values.envoy.extraVolumeMounts }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.envoy.extraContainers }}
{{- toYaml .Values.envoy.extraContainers | nindent 6 }}
{{- end }}
restartPolicy: Always
priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.envoy.priorityClassName "system-node-critical") }}
serviceAccount: {{ .Values.serviceAccounts.envoy.name | quote }}
serviceAccountName: {{ .Values.serviceAccounts.envoy.name | quote }}
automountServiceAccountToken: {{ .Values.serviceAccounts.envoy.automount }}
terminationGracePeriodSeconds: {{ .Values.envoy.terminationGracePeriodSeconds }}
hostNetwork: true
{{- if .Values.envoy.dnsPolicy }}
dnsPolicy: {{ .Values.envoy.dnsPolicy }}
{{- end }}
{{- with .Values.envoy.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.envoy.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.envoy.tolerations }}
tolerations:
{{- toYaml . | trim | nindent 8 }}
{{- end }}
volumes:
- name: envoy-sockets
hostPath:
path: "{{ .Values.daemon.runPath }}/envoy/sockets"
type: DirectoryOrCreate
- name: envoy-config
configMap:
name: cilium-envoy-config
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
items:
- key: bootstrap-config.json
path: bootstrap-config.json
# To keep state between restarts / upgrades
{{- if and .Values.bpf.autoMount.enabled }}
# To keep state between restarts / upgrades for bpf maps
- name: bpf-maps
hostPath:
path: /sys/fs/bpf
type: DirectoryOrCreate
{{- end }}
{{- range .Values.envoy.extraHostPathMounts }}
- name: {{ .name }}
hostPath:
path: {{ .hostPath }}
{{- if .hostPathType }}
type: {{ .hostPathType }}
{{- end }}
{{- end }}
{{- with .Values.envoy.extraVolumes }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}

27
system/cilium/charts/cilium/templates/cilium-envoy/service.yaml Normal file
View File

@@ -0,0 +1,27 @@
{{- if and .Values.envoy.enabled (not .Values.preflight.enabled) .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled }}
apiVersion: v1
kind: Service
metadata:
name: cilium-envoy
namespace: {{ .Release.Namespace }}
{{- if not .Values.envoy.prometheus.serviceMonitor.enabled }}
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port | quote }}
{{- end }}
labels:
k8s-app: cilium-envoy
app.kubernetes.io/name: cilium-envoy
app.kubernetes.io/part-of: cilium
io.cilium/app: proxy
spec:
clusterIP: None
type: ClusterIP
selector:
k8s-app: cilium-envoy
ports:
- name: envoy-metrics
port: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
protocol: TCP
targetPort: envoy-metrics
{{- end }}

11
system/cilium/charts/cilium/templates/cilium-envoy/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,11 @@
{{- if and .Values.envoy.enabled (not .Values.preflight.enabled) .Values.serviceAccounts.envoy.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccounts.envoy.name | quote }}
namespace: {{ .Release.Namespace }}
{{- if .Values.serviceAccounts.envoy.annotations }}
annotations:
{{- toYaml .Values.serviceAccounts.envoy.annotations | nindent 4 }}
{{- end }}
{{- end }}

39
system/cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,39 @@
{{- if and .Values.envoy.enabled (not .Values.preflight.enabled) .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled .Values.envoy.prometheus.serviceMonitor.enabled }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: cilium-envoy
namespace: {{ .Values.envoy.prometheus.serviceMonitor.namespace | default .Release.Namespace }}
labels:
app.kubernetes.io/part-of: cilium
{{- with .Values.envoy.prometheus.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.envoy.prometheus.serviceMonitor.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
k8s-app: cilium-envoy
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
endpoints:
- port: metrics
interval: {{ .Values.envoy.prometheus.serviceMonitor.interval | quote }}
honorLabels: true
path: /metrics
{{- with .Values.envoy.prometheus.serviceMonitor.relabelings }}
relabelings:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.envoy.prometheus.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 4 }}
{{- end }}
targetLabels:
- k8s-app
{{- end }}

10
system/cilium/charts/cilium/templates/cilium-gateway-api-class.yaml Normal file
View File

@@ -0,0 +1,10 @@
{{- if .Values.gatewayAPI.enabled -}}
{{- if .Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1/GatewayClass" }}
apiVersion: gateway.networking.k8s.io/v1beta1
kind: GatewayClass
metadata:
name: cilium
spec:
controllerName: io.cilium/gateway-controller
{{- end}}
{{- end}}

12
system/cilium/charts/cilium/templates/cilium-ingress-class.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if .Values.ingressController.enabled -}}
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: cilium
{{- if .Values.ingressController.default }}
annotations:
ingressclass.kubernetes.io/is-default-class: "true"
{{- end}}
spec:
controller: cilium.io/ingress-controller
{{- end}}

57
system/cilium/charts/cilium/templates/cilium-ingress-service.yaml Normal file
View File

@@ -0,0 +1,57 @@
{{- if .Values.ingressController.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.ingressController.service.name }}
namespace: {{ .Release.Namespace }}
labels:
cilium.io/ingress: "true"
{{- if .Values.ingressController.service.labels }}
{{- toYaml .Values.ingressController.service.labels | nindent 4 }}
{{- end }}
{{- if .Values.ingressController.service.annotations }}
annotations:
{{- toYaml .Values.ingressController.service.annotations | nindent 4 }}
{{- end }}
spec:
ports:
- name: http
port: 80
protocol: TCP
nodePort: {{ .Values.ingressController.service.insecureNodePort }}
- name: https
port: 443
protocol: TCP
nodePort: {{ .Values.ingressController.service.secureNodePort }}
type: {{ .Values.ingressController.service.type }}
{{- if semverCompare ">=1.24-0" .Capabilities.KubeVersion.Version -}}
{{- if .Values.ingressController.service.loadBalancerClass }}
loadBalancerClass: {{ .Values.ingressController.service.loadBalancerClass }}
{{- end }}
{{- if (not (kindIs "invalid" .Values.ingressController.service.allocateLoadBalancerNodePorts)) }}
allocateLoadBalancerNodePorts: {{ .Values.ingressController.service.allocateLoadBalancerNodePorts }}
{{- end }}
{{- end -}}
{{- if .Values.ingressController.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.ingressController.service.loadBalancerIP }}
{{- end }}
---
apiVersion: v1
kind: Endpoints
metadata:
name: {{ .Values.ingressController.service.name }}
namespace: {{ .Release.Namespace }}
{{- if .Values.ingressController.service.labels }}
labels:
{{- toYaml .Values.ingressController.service.labels | nindent 4 }}
{{- end }}
{{- if .Values.ingressController.service.annotations }}
annotations:
{{- toYaml .Values.ingressController.service.annotations | nindent 4 }}
{{- end }}
subsets:
- addresses:
- ip: "192.192.192.192"
ports:
- port: 9999
{{- end }}

110
system/cilium/charts/cilium/templates/cilium-nodeinit/daemonset.yaml Normal file
View File

@@ -0,0 +1,110 @@
{{- if .Values.nodeinit.enabled }}
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: cilium-node-init
namespace: {{ .Release.Namespace }}
labels:
app: cilium-node-init
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-node-init
spec:
selector:
matchLabels:
app: cilium-node-init
{{- with .Values.nodeinit.updateStrategy }}
updateStrategy:
{{- toYaml . | trim | nindent 4 }}
{{- end }}
template:
metadata:
annotations:
{{- with .Values.nodeinit.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not .Values.securityContext.privileged }}
# Set app AppArmor's profile to "unconfined". The value of this annotation
# can be modified as long users know which profiles they have available
# in AppArmor.
container.apparmor.security.beta.kubernetes.io/node-init: "unconfined"
{{- end }}
labels:
app: cilium-node-init
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-node-init
{{- with .Values.nodeinit.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: node-init
image: {{ include "cilium.image" .Values.nodeinit.image | quote }}
imagePullPolicy: {{ .Values.nodeinit.image.pullPolicy }}
lifecycle:
{{- if .Values.nodeinit.revertReconfigureKubelet }}
preStop:
exec:
command:
- nsenter
- --target=1
- --mount
- --
- /bin/bash
- -c
- |
{{- tpl (.Files.Get "files/nodeinit/prestop.bash") . | nindent 20 }}
{{- end }}
env:
{{- with .Values.nodeinit.extraEnv }}
{{- toYaml . | trim | nindent 10 }}
{{- end }}
# STARTUP_SCRIPT is the script run on node bootstrap. Node
# bootstrapping can be customized in this script. This script is invoked
# using nsenter, so it runs in the host's network and mount namespace using
# the host's userland tools!
- name: STARTUP_SCRIPT
value: |
{{- tpl (.Files.Get "files/nodeinit/startup.bash") . | nindent 14 }}
{{- with .Values.nodeinit.resources }}
resources:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.nodeinit.securityContext }}
securityContext:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
terminationMessagePolicy: FallbackToLogsOnError
{{- with .Values.nodeinit.extraVolumeMounts }}
volumeMounts:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.nodeinit.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeinit.nodeSelector }}
nodeSelector:
{{- toYaml . | trim | nindent 8 }}
{{- end }}
{{- with .Values.nodeinit.tolerations }}
tolerations:
{{- toYaml . | trim | nindent 8 }}
{{- end }}
hostPID: true
hostNetwork: true
priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.nodeinit.priorityClassName "system-node-critical") }}
{{- if .Values.serviceAccounts.nodeinit.enabled }}
serviceAccount: {{ .Values.serviceAccounts.nodeinit.name | quote }}
serviceAccountName: {{ .Values.serviceAccounts.nodeinit.name | quote }}
automountServiceAccountToken: {{ .Values.serviceAccounts.nodeinit.automount }}
{{- end }}
{{- with .Values.nodeinit.extraVolumes }}
volumes:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}

11
system/cilium/charts/cilium/templates/cilium-nodeinit/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,11 @@
{{- if and .Values.nodeinit.enabled .Values.serviceAccounts.nodeinit.enabled .Values.serviceAccounts.nodeinit.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccounts.nodeinit.name | quote }}
namespace: {{ .Release.Namespace }}
{{- if .Values.serviceAccounts.nodeinit.annotations }}
annotations:
{{- toYaml .Values.serviceAccounts.nodeinit.annotations | nindent 4 }}
{{- end }}
{{- end }}

36
system/cilium/charts/cilium/templates/cilium-operator/_helpers.tpl Normal file
View File

@@ -0,0 +1,36 @@
{{- define "cilium.operator.cloud" -}}
{{- $cloud := "generic" -}}
{{- if .Values.eni.enabled -}}
{{- $cloud = "aws" -}}
{{- else if .Values.azure.enabled -}}
{{- $cloud = "azure" -}}
{{- else if .Values.alibabacloud.enabled -}}
{{- $cloud = "alibabacloud" -}}
{{- end -}}
{{- $cloud -}}
{{- end -}}
{{- define "cilium.operator.imageDigestName" -}}
{{- $imageDigest := (.Values.operator.image.useDigest | default false) | ternary (printf "@%s" .Values.operator.image.genericDigest) "" -}}
{{- if .Values.eni.enabled -}}
{{- $imageDigest = (.Values.operator.image.useDigest | default false) | ternary (printf "@%s" .Values.operator.image.awsDigest) "" -}}
{{- else if .Values.azure.enabled -}}
{{- $imageDigest = (.Values.operator.image.useDigest | default false) | ternary (printf "@%s" .Values.operator.image.azureDigest) "" -}}
{{- else if .Values.alibabacloud.enabled -}}
{{- $imageDigest = (.Values.operator.image.useDigest | default false) | ternary (printf "@%s" .Values.operator.image.alibabacloudDigest) "" -}}
{{- end -}}
{{- $imageDigest -}}
{{- end -}}
{{/*
Return cilium operator image
*/}}
{{- define "cilium.operator.image" -}}
{{- if .Values.operator.image.override -}}
{{- printf "%s" .Values.operator.image.override -}}
{{- else -}}
{{- $cloud := include "cilium.operator.cloud" . }}
{{- $imageDigest := include "cilium.operator.imageDigestName" . }}
{{- printf "%s-%s%s:%s%s" .Values.operator.image.repository $cloud .Values.operator.image.suffix .Values.operator.image.tag $imageDigest -}}
{{- end -}}
{{- end -}}

Some files were not shown because too many files have changed in this diff Show More