From 8e03276d0ca1b65a92ff23d5e121d555e2228ca5 Mon Sep 17 00:00:00 2001 From: Jose Armesto Date: Mon, 13 Nov 2023 16:48:57 +0100 Subject: [PATCH] Use cilium 1.14.3 --- CHANGELOG.md | 2 +- helm/cilium/Chart.yaml | 4 +-- helm/cilium/README.md | 20 +++++------- helm/cilium/files/agent/poststart-eni.bash | 4 +-- .../templates/cilium-agent/daemonset.yaml | 2 +- helm/cilium/templates/cilium-configmap.yaml | 3 -- .../metrics-service.yaml | 5 ++- .../clustermesh-apiserver/servicemonitor.yaml | 5 ++- .../tls-certmanager/relay-client-secret.yaml | 2 -- .../tls-certmanager/relay-server-secret.yaml | 2 -- .../hubble/tls-certmanager/server-secret.yaml | 2 -- .../tls-certmanager/ui-client-certs.yaml | 2 -- .../templates/spire/agent/daemonset.yaml | 11 ++----- .../templates/spire/server/statefulset.yaml | 17 +--------- helm/cilium/values.schema.json | 12 ------- helm/cilium/values.yaml | 31 ++++++------------- helm/cilium/values.yaml.tmpl | 19 +++--------- vendir.lock.yml | 6 ++-- vendir.yml | 2 +- 19 files changed, 39 insertions(+), 112 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 867eb8e8..988e00d4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed -- Upgrade cilium to `1.14.4`. +- Upgrade cilium to `1.14.3`. ## [0.17.0] - 2023-11-08 diff --git a/helm/cilium/Chart.yaml b/helm/cilium/Chart.yaml index 358ccf43..ff66fa95 100644 --- a/helm/cilium/Chart.yaml +++ b/helm/cilium/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: cilium displayName: Cilium home: https://cilium.io/ -version: 1.14.4 -appVersion: 1.14.4 +version: 1.14.3 +appVersion: 1.14.3 kubeVersion: ">= 1.16.0-0" icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.14/Documentation/images/logo-solo.svg description: eBPF-based Networking, Security, and Observability diff --git a/helm/cilium/README.md b/helm/cilium/README.md index a088784d..2eeeb514 100644 --- a/helm/cilium/README.md +++ b/helm/cilium/README.md @@ -1,6 +1,6 @@ # cilium -![Version: 1.14.4](https://img.shields.io/badge/Version-1.14.4-informational?style=flat-square) ![AppVersion: 1.14.4](https://img.shields.io/badge/AppVersion-1.14.4-informational?style=flat-square) +![Version: 1.14.3](https://img.shields.io/badge/Version-1.14.3-informational?style=flat-square) ![AppVersion: 1.14.3](https://img.shields.io/badge/AppVersion-1.14.3-informational?style=flat-square) Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as @@ -72,10 +72,8 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.agent.labels | object | `{}` | SPIRE agent labels | | authentication.mutual.spire.install.agent.serviceAccount | object | `{"create":true,"name":"spire-agent"}` | SPIRE agent service account | | authentication.mutual.spire.install.agent.skipKubeletVerification | bool | `true` | SPIRE Workload Attestor kubelet verification. | -| authentication.mutual.spire.install.agent.tolerations | list | `[]` | SPIRE agent tolerations configuration ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true | | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into | -| authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration | | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations | | authentication.mutual.spire.install.server.ca.keyType | string | `"rsa-4096"` | SPIRE CA key type AWS requires the use of RSA. EC cryptography is not supported | | authentication.mutual.spire.install.server.ca.subject | object | `{"commonName":"Cilium SPIRE CA","country":"US","organization":"SPIRE"}` | SPIRE CA Subject | @@ -86,12 +84,10 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.server.image | string | `"ghcr.io/spiffe/spire-server:1.6.3@sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f"` | SPIRE server image | | authentication.mutual.spire.install.server.initContainers | list | `[]` | SPIRE server init containers | | authentication.mutual.spire.install.server.labels | object | `{}` | SPIRE server labels | -| authentication.mutual.spire.install.server.nodeSelector | object | `{}` | SPIRE server nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | authentication.mutual.spire.install.server.service.annotations | object | `{}` | Annotations to be added to the SPIRE server service | | authentication.mutual.spire.install.server.service.labels | object | `{}` | Labels to be added to the SPIRE server service | | authentication.mutual.spire.install.server.service.type | string | `"ClusterIP"` | Service type for the SPIRE server service | | authentication.mutual.spire.install.server.serviceAccount | object | `{"create":true,"name":"spire-server"}` | SPIRE server service account | -| authentication.mutual.spire.install.server.tolerations | list | `[]` | SPIRE server tolerations configuration ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | authentication.mutual.spire.serverAddress | string | `nil` | SPIRE server address used by Cilium Operator If k8s Service DNS along with port number is used (e.g. ..svc(.*): format), Cilium Operator will resolve its address by looking up the clusterIP from Service resource. Example values: 10.0.0.1:8081, spire-server.cilium-spire.svc:8081 | | authentication.mutual.spire.trustDomain | string | `"spiffe.cilium"` | SPIFFE trust domain to use for fetching certificates | | authentication.queueSize | int | `1024` | Buffer size of the channel Cilium uses to receive authentication events from the signal map. | @@ -151,12 +147,12 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. | | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | -| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.4","useDigest":false}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.3","useDigest":false}` | Clustermesh API server image. | | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. | | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. | | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. | | clustermesh.apiserver.kvstoremesh.extraVolumeMounts | list | `[]` | Additional KVStoreMesh volumeMounts. | -| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.4","useDigest":false}` | KVStoreMesh image. | +| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.3","useDigest":false}` | KVStoreMesh image. | | clustermesh.apiserver.kvstoremesh.resources | object | `{}` | Resource requests and limits for the KVStoreMesh container | | clustermesh.apiserver.kvstoremesh.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | KVStoreMesh Security context | | clustermesh.apiserver.metrics.enabled | bool | `true` | Enables exporting apiserver metrics in OpenMetrics format. | @@ -308,7 +304,7 @@ contributors across the globe, there is almost always someone available to help. | envoy.extraVolumes | list | `[]` | Additional envoy volumes. | | envoy.healthPort | int | `9878` | TCP port for the health API. | | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s | -| envoy.image | object | `{"digest":"sha256:6b0f2591fef922bf17a46517d5152ea7d6270524bb0e307c77986986677dbcea","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.6-ff0d5d3f77d610040e93c7c7a430d61a0c0b90c1","useDigest":true}` | Envoy container image. | +| envoy.image | object | `{"digest":"sha256:bfa1e919ed02afc66e9ff36c1fd9148237fc8b8560a0b44d89acf144b0ffb08c","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.25.10-f71a313bd0daee41470af31ce6ea20c750fe35dd","useDigest":true}` | Envoy container image. | | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe | | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe | | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. | @@ -412,7 +408,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. | | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay | | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay | -| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.4","useDigest":false}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.3","useDigest":false}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -504,7 +500,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.4","useDigest":false}` | Agent container image. | +| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.3","useDigest":false}` | Agent container image. | | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. | @@ -611,7 +607,7 @@ contributors across the globe, there is almost always someone available to help. | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.4","useDigest":false}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.3","useDigest":false}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -658,7 +654,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.4","useDigest":false}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.3","useDigest":false}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | diff --git a/helm/cilium/files/agent/poststart-eni.bash b/helm/cilium/files/agent/poststart-eni.bash index 66fccf45..1922ee71 100644 --- a/helm/cilium/files/agent/poststart-eni.bash +++ b/helm/cilium/files/agent/poststart-eni.bash @@ -11,9 +11,9 @@ set -o nounset # dependencies on anything that is part of the startup script # itself, and can be safely run multiple times per node (e.g. in # case of a restart). -if [[ "$(iptables-save | grep -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; +if [[ "$(iptables-save | grep -c AWS-SNAT-CHAIN)" != "0" ]]; then echo 'Deleting iptables rules created by the AWS CNI VPC plugin' - iptables-save | grep -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore + iptables-save | grep -v AWS-SNAT-CHAIN | iptables-restore fi echo 'Done!' diff --git a/helm/cilium/templates/cilium-agent/daemonset.yaml b/helm/cilium/templates/cilium-agent/daemonset.yaml index ac01f755..9ccb4174 100644 --- a/helm/cilium/templates/cilium-agent/daemonset.yaml +++ b/helm/cilium/templates/cilium-agent/daemonset.yaml @@ -217,7 +217,7 @@ spec: {{- end }} {{- if .Values.cni.install }} lifecycle: - {{- if ne .Values.cni.chainingMode "aws-cni" }} + {{- if .Values.eni.enabled }} postStart: exec: command: diff --git a/helm/cilium/templates/cilium-configmap.yaml b/helm/cilium/templates/cilium-configmap.yaml index 42eca9b8..0adb6810 100644 --- a/helm/cilium/templates/cilium-configmap.yaml +++ b/helm/cilium/templates/cilium-configmap.yaml @@ -583,9 +583,6 @@ data: {{- if .Values.encryption.wireguard.userspaceFallback }} enable-wireguard-userspace-fallback: {{ .Values.encryption.wireguard.userspaceFallback | quote }} {{- end }} - {{- if .Values.encryption.wireguard.encapsulate }} - wireguard-encapsulate: {{ .Values.encryption.wireguard.encapsulate | quote }} - {{- end }} {{- end }} {{- if .Values.encryption.nodeEncryption }} encrypt-node: {{ .Values.encryption.nodeEncryption | quote }} diff --git a/helm/cilium/templates/clustermesh-apiserver/metrics-service.yaml b/helm/cilium/templates/clustermesh-apiserver/metrics-service.yaml index 63b50ace..3240a571 100644 --- a/helm/cilium/templates/clustermesh-apiserver/metrics-service.yaml +++ b/helm/cilium/templates/clustermesh-apiserver/metrics-service.yaml @@ -1,7 +1,6 @@ -{{- $kvstoreMetricsEnabled := and .Values.clustermesh.apiserver.kvstoremesh.enabled .Values.clustermesh.apiserver.metrics.kvstoremesh.enabled -}} {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) - (or .Values.clustermesh.apiserver.metrics.enabled $kvstoreMetricsEnabled .Values.clustermesh.apiserver.metrics.etcd.enabled) }} + (or .Values.clustermesh.apiserver.metrics.enabled .Values.clustermesh.apiserver.metrics.kvstoremesh.enabled .Values.clustermesh.apiserver.metrics.etcd.enabled) }} apiVersion: v1 kind: Service metadata: @@ -22,7 +21,7 @@ spec: protocol: TCP targetPort: apiserv-metrics {{- end }} - {{- if $kvstoreMetricsEnabled }} + {{- if .Values.clustermesh.apiserver.metrics.kvstoremesh.enabled }} - name: kvmesh-metrics port: {{ .Values.clustermesh.apiserver.metrics.kvstoremesh.port }} protocol: TCP diff --git a/helm/cilium/templates/clustermesh-apiserver/servicemonitor.yaml b/helm/cilium/templates/clustermesh-apiserver/servicemonitor.yaml index d5ba6420..402701a0 100644 --- a/helm/cilium/templates/clustermesh-apiserver/servicemonitor.yaml +++ b/helm/cilium/templates/clustermesh-apiserver/servicemonitor.yaml @@ -1,7 +1,6 @@ -{{- $kvstoreMetricsEnabled := and .Values.clustermesh.apiserver.kvstoremesh.enabled .Values.clustermesh.apiserver.metrics.kvstoremesh.enabled -}} {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) - (or .Values.clustermesh.apiserver.metrics.enabled $kvstoreMetricsEnabled .Values.clustermesh.apiserver.metrics.etcd.enabled) + (or .Values.clustermesh.apiserver.metrics.enabled .Values.clustermesh.apiserver.metrics.kvstoremesh.enabled .Values.clustermesh.apiserver.metrics.etcd.enabled) .Values.clustermesh.apiserver.metrics.serviceMonitor.enabled }} --- apiVersion: monitoring.coreos.com/v1 @@ -41,7 +40,7 @@ spec: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} - {{- if $kvstoreMetricsEnabled }} + {{- if .Values.clustermesh.apiserver.metrics.kvstoremesh.enabled }} - port: kvmesh-metrics interval: {{ .Values.clustermesh.apiserver.metrics.serviceMonitor.kvstoremesh.interval | quote }} honorLabels: true diff --git a/helm/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml b/helm/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml index 23bea64b..58d17370 100644 --- a/helm/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml +++ b/helm/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml @@ -13,6 +13,4 @@ spec: dnsNames: - "*.hubble-relay.cilium.io" duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} - privateKey: - rotationPolicy: Always {{- end }} diff --git a/helm/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml b/helm/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml index 77f2800e..b8e9fdee 100644 --- a/helm/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml +++ b/helm/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml @@ -22,6 +22,4 @@ spec: {{- end }} {{- end }} duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} - privateKey: - rotationPolicy: Always {{- end }} diff --git a/helm/cilium/templates/hubble/tls-certmanager/server-secret.yaml b/helm/cilium/templates/hubble/tls-certmanager/server-secret.yaml index 1ca815fb..3517c52c 100644 --- a/helm/cilium/templates/hubble/tls-certmanager/server-secret.yaml +++ b/helm/cilium/templates/hubble/tls-certmanager/server-secret.yaml @@ -23,6 +23,4 @@ spec: {{- end }} {{- end }} duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} - privateKey: - rotationPolicy: Always {{- end }} diff --git a/helm/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml b/helm/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml index 88d59490..f2256219 100644 --- a/helm/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml +++ b/helm/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml @@ -13,6 +13,4 @@ spec: dnsNames: - "*.hubble-ui.cilium.io" duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} - privateKey: - rotationPolicy: Always {{- end }} diff --git a/helm/cilium/templates/spire/agent/daemonset.yaml b/helm/cilium/templates/spire/agent/daemonset.yaml index 758b17c1..4bcf2c04 100644 --- a/helm/cilium/templates/spire/agent/daemonset.yaml +++ b/helm/cilium/templates/spire/agent/daemonset.yaml @@ -10,8 +10,8 @@ metadata: {{- end }} labels: app: spire-agent - {{- with .Values.authentication.mutual.spire.install.agent.labels }} - {{- toYaml . | nindent 4 }} + {{- with .Values.authentication.mutual.spire.install.server.labels }} + {{- toYaml . | nindent 8 }} {{- end }} spec: selector: @@ -22,9 +22,6 @@ spec: namespace: {{ .Values.authentication.mutual.spire.install.namespace }} labels: app: spire-agent - {{- with .Values.authentication.mutual.spire.install.agent.labels }} - {{- toYaml . | nindent 8 }} - {{- end }} spec: hostPID: true hostNetwork: true @@ -72,10 +69,6 @@ spec: port: 4251 initialDelaySeconds: 5 periodSeconds: 5 - {{- with .Values.authentication.mutual.spire.install.agent.tolerations }} - tolerations: - {{- toYaml . | trim | nindent 8 }} - {{- end }} volumes: - name: spire-config configMap: diff --git a/helm/cilium/templates/spire/server/statefulset.yaml b/helm/cilium/templates/spire/server/statefulset.yaml index 43c2c9ee..0ea60a62 100644 --- a/helm/cilium/templates/spire/server/statefulset.yaml +++ b/helm/cilium/templates/spire/server/statefulset.yaml @@ -11,7 +11,7 @@ metadata: labels: app: spire-server {{- with .Values.authentication.mutual.spire.install.server.labels }} - {{- toYaml . | nindent 4 }} + {{- toYaml . | nindent 8 }} {{- end }} spec: replicas: 1 @@ -23,9 +23,6 @@ spec: metadata: labels: app: spire-server - {{- with .Values.authentication.mutual.spire.install.server.labels }} - {{- toYaml . | nindent 8 }} - {{- end }} spec: serviceAccountName: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} shareProcessNamespace: true @@ -75,18 +72,6 @@ spec: port: 8080 initialDelaySeconds: 5 periodSeconds: 5 - {{- with .Values.authentication.mutual.spire.install.server.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.authentication.mutual.spire.install.server.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.authentication.mutual.spire.install.server.tolerations }} - tolerations: - {{- toYaml . | trim | nindent 8 }} - {{- end }} volumes: - name: spire-config configMap: diff --git a/helm/cilium/values.schema.json b/helm/cilium/values.schema.json index c3445c9a..dedc0f89 100644 --- a/helm/cilium/values.schema.json +++ b/helm/cilium/values.schema.json @@ -122,9 +122,6 @@ }, "skipKubeletVerification": { "type": "boolean" - }, - "tolerations": { - "type": "array" } } }, @@ -137,9 +134,6 @@ "server": { "type": "object", "properties": { - "affinity": { - "type": "object" - }, "annotations": { "type": "object" }, @@ -191,9 +185,6 @@ "labels": { "type": "object" }, - "nodeSelector": { - "type": "object" - }, "service": { "type": "object", "properties": { @@ -218,9 +209,6 @@ "type": "string" } } - }, - "tolerations": { - "type": "array" } } } diff --git a/helm/cilium/values.yaml b/helm/cilium/values.yaml index 87907376..827218ae 100644 --- a/helm/cilium/values.yaml +++ b/helm/cilium/values.yaml @@ -153,7 +153,7 @@ image: registry: docker.io override: ~ repository: "giantswarm/cilium" - tag: "v1.14.4" + tag: "v1.14.3" pullPolicy: "IfNotPresent" # cilium-digest digest: "" @@ -1120,7 +1120,7 @@ hubble: image: override: ~ repository: "giantswarm/hubble-relay" - tag: "v1.14.4" + tag: "v1.14.3" # hubble-relay-digest digest: "" useDigest: false @@ -1859,9 +1859,9 @@ envoy: image: override: ~ repository: "quay.io/cilium/cilium-envoy" - tag: "v1.26.6-ff0d5d3f77d610040e93c7c7a430d61a0c0b90c1" + tag: "v1.25.10-f71a313bd0daee41470af31ce6ea20c750fe35dd" pullPolicy: "IfNotPresent" - digest: "sha256:6b0f2591fef922bf17a46517d5152ea7d6270524bb0e307c77986986677dbcea" + digest: "sha256:bfa1e919ed02afc66e9ff36c1fd9148237fc8b8560a0b44d89acf144b0ffb08c" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. @@ -2256,7 +2256,7 @@ operator: image: override: ~ repository: "giantswarm/cilium-operator" - tag: "v1.14.4" + tag: "v1.14.3" # operator-generic-digest genericDigest: "" # operator-azure-digest @@ -2543,7 +2543,7 @@ preflight: image: override: ~ repository: "giantswarm/cilium" - tag: "v1.14.4" + tag: "v1.14.3" # cilium-digest digest: "" useDigest: false @@ -2693,7 +2693,7 @@ clustermesh: image: override: ~ repository: "giantswarm/clustermesh-apiserver" - tag: "v1.14.4" + tag: "v1.14.3" # clustermesh-apiserver-digest digest: "" useDigest: false @@ -2740,7 +2740,7 @@ clustermesh: image: override: ~ repository: "quay.io/cilium/kvstoremesh" - tag: "v1.14.4" + tag: "v1.14.3" # kvstoremesh-digest digest: "" useDigest: false @@ -3138,14 +3138,11 @@ authentication: create: true name: spire-agent # -- SPIRE agent annotations - annotations: {} + annotations: { } # -- SPIRE agent labels - labels: {} + labels: { } # -- SPIRE Workload Attestor kubelet verification. skipKubeletVerification: true - # -- SPIRE agent tolerations configuration - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: [] server: # -- SPIRE server image image: ghcr.io/spiffe/spire-server:1.6.3 @@ -3167,14 +3164,6 @@ authentication: annotations: {} # -- Labels to be added to the SPIRE server service labels: {} - # -- SPIRE server affinity configuration - affinity: {} - # -- SPIRE server nodeSelector configuration - # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - nodeSelector: {} - # -- SPIRE server tolerations configuration - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: [] # SPIRE server datastorage configuration dataStorage: # -- Enable SPIRE server data storage diff --git a/helm/cilium/values.yaml.tmpl b/helm/cilium/values.yaml.tmpl index 5c72fefa..91be377a 100644 --- a/helm/cilium/values.yaml.tmpl +++ b/helm/cilium/values.yaml.tmpl @@ -1845,9 +1845,9 @@ envoy: image: override: ~ repository: "quay.io/cilium/cilium-envoy" - tag: "v1.26.6-ff0d5d3f77d610040e93c7c7a430d61a0c0b90c1" + tag: "v1.25.10-f71a313bd0daee41470af31ce6ea20c750fe35dd" pullPolicy: "${PULL_POLICY}" - digest: "sha256:6b0f2591fef922bf17a46517d5152ea7d6270524bb0e307c77986986677dbcea" + digest: "sha256:bfa1e919ed02afc66e9ff36c1fd9148237fc8b8560a0b44d89acf144b0ffb08c" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. @@ -3124,14 +3124,11 @@ authentication: create: true name: spire-agent # -- SPIRE agent annotations - annotations: {} + annotations: { } # -- SPIRE agent labels - labels: {} + labels: { } # -- SPIRE Workload Attestor kubelet verification. skipKubeletVerification: true - # -- SPIRE agent tolerations configuration - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: [] server: # -- SPIRE server image image: ghcr.io/spiffe/spire-server:1.6.3@sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f @@ -3153,14 +3150,6 @@ authentication: annotations: {} # -- Labels to be added to the SPIRE server service labels: {} - # -- SPIRE server affinity configuration - affinity: {} - # -- SPIRE server nodeSelector configuration - # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - nodeSelector: {} - # -- SPIRE server tolerations configuration - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: [] # SPIRE server datastorage configuration dataStorage: # -- Enable SPIRE server data storage diff --git a/vendir.lock.yml b/vendir.lock.yml index e1cc450f..4eddd65d 100644 --- a/vendir.lock.yml +++ b/vendir.lock.yml @@ -2,10 +2,10 @@ apiVersion: vendir.k14s.io/v1alpha1 directories: - contents: - git: - commitTitle: Fix typo in cilium operator image name - sha: e2ee5324a5610ebeaebb8ba953e08a29f3791487 + commitTitle: Migrate proxy.prometheus.port to envoy.prometheus.port + sha: 7d82c9c436b9343a6a95f7dc48a4e0e7bf7b6cbd tags: - - v1.14.3-122-ge2ee5324a5 + - v1.14.3-21-g7d82c9c436 path: cilium path: vendor - contents: diff --git a/vendir.yml b/vendir.yml index 8da5ace2..ba1abe49 100644 --- a/vendir.yml +++ b/vendir.yml @@ -6,7 +6,7 @@ directories: - path: cilium git: url: https://github.com/giantswarm/cilium - ref: "v1.14" + ref: "upgrade-1-14-3" includePaths: - install/kubernetes/cilium/**/* - path: helm/cilium