diff --git a/diffs/helm__Makefile.values.patch b/diffs/helm__Makefile.values.patch index c06cf36e..bbe20bfa 100644 --- a/diffs/helm__Makefile.values.patch +++ b/diffs/helm__Makefile.values.patch @@ -1,8 +1,8 @@ diff --git a/vendor/cilium/install/kubernetes/Makefile.values b/helm/Makefile.values -index 89f3f9e..7f7912d 100644 +index fc8ed9a..7f7912d 100644 --- a/vendor/cilium/install/kubernetes/Makefile.values +++ b/helm/Makefile.values -@@ -13,47 +13,47 @@ export RELEASE := yes +@@ -13,63 +13,56 @@ export RELEASE := yes ifeq ($(RELEASE),yes) export CILIUM_BRANCH:=v1.15 export PULL_POLICY:=IfNotPresent @@ -33,35 +33,64 @@ index 89f3f9e..7f7912d 100644 $(error "CILIUM_BRANCH needs to be defined") endif +-# renovate: datasource=docker -export CERTGEN_REPO:=quay.io/cilium/certgen +-export CERTGEN_VERSION:=v0.1.15 +-export CERTGEN_DIGEST:=sha256:a82265cd78234505802772fb6256bcfa8231b718d2652ad815eb479fc3cc8028 +export CERTGEN_REPO:=giantswarm/cilium-certgen - # renovate: datasource=docker depName=quay.io/cilium/certgen - export CERTGEN_VERSION:=v0.1.12 - export CERTGEN_DIGEST:=sha256:bbc5e65e9dc65bc6b58967fe536b7f3b54e12332908aeb0a96a36866b4372b4e ++# renovate: datasource=docker depName=quay.io/cilium/certgen ++export CERTGEN_VERSION:=v0.1.12 ++export CERTGEN_DIGEST:=sha256:bbc5e65e9dc65bc6b58967fe536b7f3b54e12332908aeb0a96a36866b4372b4e +-# renovate: datasource=docker -export CILIUM_ETCD_OPERATOR_REPO:=quay.io/cilium/cilium-etcd-operator -export CILIUM_ETCD_OPERATOR_VERSION:=v2.0.7 +export CILIUM_ETCD_OPERATOR_REPO:=giantswarm/cilium-etcd-operator +export CILIUM_ETCD_OPERATOR_VERSION:=v2.0.7@sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc export CILIUM_ETCD_OPERATOR_DIGEST:=sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc +-# renovate: datasource=docker -export CILIUM_NODEINIT_REPO:=quay.io/cilium/startup-script +-export CILIUM_NODEINIT_VERSION:=c54c7edeab7fde4da68e59acd319ab24af242c3f +-export CILIUM_NODEINIT_DIGEST:=sha256:8d7b41c4ca45860254b3c19e20210462ef89479bb6331d6760c4e609d651b29c +export CILIUM_NODEINIT_REPO:=giantswarm/cilium-startup-script - # renovate: datasource=docker depName=quay.io/cilium/startup-script - export CILIUM_NODEINIT_VERSION:=19fb149fb3d5c7a37d3edfaf10a2be3ab7386661 - export CILIUM_NODEINIT_DIGEST:=sha256:820155cb3b7f00c8d61c1cffa68c44440906cb046bdbad8ff544f5deb1103456 ++# renovate: datasource=docker depName=quay.io/cilium/startup-script ++export CILIUM_NODEINIT_VERSION:=19fb149fb3d5c7a37d3edfaf10a2be3ab7386661 ++export CILIUM_NODEINIT_DIGEST:=sha256:820155cb3b7f00c8d61c1cffa68c44440906cb046bdbad8ff544f5deb1103456 +-# renovate: datasource=docker -export CILIUM_ENVOY_REPO:=quay.io/cilium/cilium-envoy +-export CILIUM_ENVOY_VERSION:=v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8 +-export CILIUM_ENVOY_DIGEST:=sha256:709c08ade3d17d52da4ca2af33f431360ec26268d288d9a6cd1d98acc9a1dced +export CILIUM_ENVOY_REPO:=giantswarm/cilium-envoy - export CILIUM_ENVOY_VERSION:=v1.28.4-b35188ffa1bbe54d1720d2e392779f7a48e58f6b - export CILIUM_ENVOY_DIGEST:=sha256:b528b291561e459024f66414ac3325b88cdd8f9f4854828a155a11e5b10b78a3 ++export CILIUM_ENVOY_VERSION:=v1.28.4-b35188ffa1bbe54d1720d2e392779f7a48e58f6b ++export CILIUM_ENVOY_DIGEST:=sha256:b528b291561e459024f66414ac3325b88cdd8f9f4854828a155a11e5b10b78a3 +-# renovate: datasource=docker -export HUBBLE_UI_BACKEND_REPO:=quay.io/cilium/hubble-ui-backend -+export HUBBLE_UI_BACKEND_REPO:=giantswarm/hubble-ui-backend - export HUBBLE_UI_BACKEND_VERSION:=v0.13.0 - export HUBBLE_UI_BACKEND_DIGEST:=sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803 +-export HUBBLE_UI_BACKEND_VERSION:=v0.13.1 +-export HUBBLE_UI_BACKEND_DIGEST:=sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b +-# renovate: datasource=docker -export HUBBLE_UI_FRONTEND_REPO:=quay.io/cilium/hubble-ui +-export HUBBLE_UI_FRONTEND_VERSION:=v0.13.1 +-export HUBBLE_UI_FRONTEND_DIGEST:=sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6 ++export HUBBLE_UI_BACKEND_REPO:=giantswarm/hubble-ui-backend ++export HUBBLE_UI_BACKEND_VERSION:=v0.13.0 ++export HUBBLE_UI_BACKEND_DIGEST:=sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803 +export HUBBLE_UI_FRONTEND_REPO:=giantswarm/hubble-ui - export HUBBLE_UI_FRONTEND_VERSION:=v0.13.0 - export HUBBLE_UI_FRONTEND_DIGEST:=sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666 ++export HUBBLE_UI_FRONTEND_VERSION:=v0.13.0 ++export HUBBLE_UI_FRONTEND_DIGEST:=sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666 +-# renovate: datasource=docker + export SPIRE_INIT_REPO:=docker.io/library/busybox + export SPIRE_INIT_VERSION:=1.36.1 +-export SPIRE_INIT_DIGEST:=sha256:d75b758a4fea99ffff4db799e16f853bbde8643671b5b72464a8ba94cbe3dbe3 +-# renovate: datasource=docker ++export SPIRE_INIT_DIGEST:=sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b + export SPIRE_SERVER_REPO:=ghcr.io/spiffe/spire-server + export SPIRE_SERVER_VERSION:=1.8.5 + export SPIRE_SERVER_DIGEST:=sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428 +-# renovate: datasource=docker + export SPIRE_AGENT_REPO:=ghcr.io/spiffe/spire-agent + export SPIRE_AGENT_VERSION:=1.8.5 + export SPIRE_AGENT_DIGEST:=sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b diff --git a/diffs/helm__cilium__templates___helpers.tpl.patch b/diffs/helm__cilium__templates___helpers.tpl.patch index 37f605c4..1d689138 100644 --- a/diffs/helm__cilium__templates___helpers.tpl.patch +++ b/diffs/helm__cilium__templates___helpers.tpl.patch @@ -1,5 +1,5 @@ diff --git a/vendor/cilium/install/kubernetes/cilium/templates/_helpers.tpl b/helm/cilium/templates/_helpers.tpl -index 3e5429e..b96b3f8 100644 +index 39b3d69..4ef0bc4 100644 --- a/vendor/cilium/install/kubernetes/cilium/templates/_helpers.tpl +++ b/helm/cilium/templates/_helpers.tpl @@ -18,11 +18,20 @@ then `include "cilium.image" .Values.image` diff --git a/diffs/helm__cilium__templates__cilium-agent__daemonset.yaml.patch b/diffs/helm__cilium__templates__cilium-agent__daemonset.yaml.patch index ef7ae9c2..796894b9 100644 --- a/diffs/helm__cilium__templates__cilium-agent__daemonset.yaml.patch +++ b/diffs/helm__cilium__templates__cilium-agent__daemonset.yaml.patch @@ -1,5 +1,5 @@ diff --git a/vendor/cilium/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml b/helm/cilium/templates/cilium-agent/daemonset.yaml -index 2949091..2eebb44 100644 +index c18cc09..6b3c1e3 100644 --- a/vendor/cilium/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml +++ b/helm/cilium/templates/cilium-agent/daemonset.yaml @@ -94,7 +94,7 @@ spec: @@ -11,7 +11,7 @@ index 2949091..2eebb44 100644 imagePullPolicy: {{ .Values.image.pullPolicy }} {{- if .Values.sleepAfterInit }} command: -@@ -209,6 +209,18 @@ spec: +@@ -196,6 +196,18 @@ spec: resourceFieldRef: resource: limits.memory divisor: '1' @@ -30,7 +30,7 @@ index 2949091..2eebb44 100644 {{- if .Values.k8sServiceHost }} - name: KUBERNETES_SERVICE_HOST value: {{ .Values.k8sServiceHost | quote }} -@@ -394,7 +406,7 @@ spec: +@@ -381,7 +393,7 @@ spec: {{- end }} {{- if .Values.monitor.enabled }} - name: cilium-monitor @@ -39,7 +39,7 @@ index 2949091..2eebb44 100644 imagePullPolicy: {{ .Values.image.pullPolicy }} command: - /bin/bash -@@ -426,7 +438,7 @@ spec: +@@ -413,7 +425,7 @@ spec: {{- end }} initContainers: - name: config @@ -48,7 +48,7 @@ index 2949091..2eebb44 100644 imagePullPolicy: {{ .Values.image.pullPolicy }} command: - cilium-dbg -@@ -454,6 +466,18 @@ spec: +@@ -441,6 +453,18 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace @@ -67,7 +67,7 @@ index 2949091..2eebb44 100644 {{- if .Values.k8sServiceHost }} - name: KUBERNETES_SERVICE_HOST value: {{ .Values.k8sServiceHost | quote }} -@@ -481,7 +505,7 @@ spec: +@@ -468,7 +492,7 @@ spec: # Required to mount cgroup2 filesystem on the underlying Kubernetes node. # We use nsenter command with host's cgroup and mount namespaces enabled. - name: mount-cgroup @@ -76,16 +76,16 @@ index 2949091..2eebb44 100644 imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: CGROUP_ROOT -@@ -527,7 +551,7 @@ spec: - - ALL - {{- end}} +@@ -516,7 +540,7 @@ spec: + {{- end }} + {{- if .Values.sysctlfix.enabled }} - name: apply-sysctl-overwrites - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" (list $ .Values.image) | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.initResources }} resources: -@@ -576,7 +600,7 @@ spec: +@@ -565,7 +589,7 @@ spec: # from a privileged container because the mount propagation bidirectional # only works from privileged containers. - name: mount-bpf-fs @@ -94,7 +94,7 @@ index 2949091..2eebb44 100644 imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.initResources }} resources: -@@ -601,7 +625,7 @@ spec: +@@ -590,7 +614,7 @@ spec: {{- end }} {{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }} - name: wait-for-node-init @@ -103,7 +103,7 @@ index 2949091..2eebb44 100644 imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.initResources }} resources: -@@ -621,7 +645,7 @@ spec: +@@ -610,7 +634,7 @@ spec: mountPath: "/tmp/cilium-bootstrap.d" {{- end }} - name: clean-cilium-state @@ -112,7 +112,7 @@ index 2949091..2eebb44 100644 imagePullPolicy: {{ .Values.image.pullPolicy }} command: - /init-container.sh -@@ -693,7 +717,7 @@ spec: +@@ -682,7 +706,7 @@ spec: {{- end }} {{- if and .Values.waitForKubeProxy (and (ne (toString $kubeProxyReplacement) "strict") (ne (toString $kubeProxyReplacement) "true")) }} - name: wait-for-kube-proxy @@ -121,7 +121,7 @@ index 2949091..2eebb44 100644 imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.initResources }} resources: -@@ -728,10 +752,22 @@ spec: +@@ -717,10 +741,22 @@ spec: done terminationMessagePolicy: FallbackToLogsOnError {{- end }} # wait-for-kube-proxy diff --git a/diffs/helm__cilium__templates__cilium-configmap.yaml.patch b/diffs/helm__cilium__templates__cilium-configmap.yaml.patch index 155672dd..99146b7a 100644 --- a/diffs/helm__cilium__templates__cilium-configmap.yaml.patch +++ b/diffs/helm__cilium__templates__cilium-configmap.yaml.patch @@ -1,5 +1,5 @@ diff --git a/vendor/cilium/install/kubernetes/cilium/templates/cilium-configmap.yaml b/helm/cilium/templates/cilium-configmap.yaml -index 9531ca1..f1362e5 100644 +index 8ca8469..1571fb5 100644 --- a/vendor/cilium/install/kubernetes/cilium/templates/cilium-configmap.yaml +++ b/helm/cilium/templates/cilium-configmap.yaml @@ -810,10 +810,7 @@ data: diff --git a/diffs/helm__cilium__templates__cilium-envoy__daemonset.yaml.patch b/diffs/helm__cilium__templates__cilium-envoy__daemonset.yaml.patch index 7849f7d6..a4daf716 100644 --- a/diffs/helm__cilium__templates__cilium-envoy__daemonset.yaml.patch +++ b/diffs/helm__cilium__templates__cilium-envoy__daemonset.yaml.patch @@ -1,8 +1,8 @@ diff --git a/vendor/cilium/install/kubernetes/cilium/templates/cilium-envoy/daemonset.yaml b/helm/cilium/templates/cilium-envoy/daemonset.yaml -index 30b9af0..a9cd4b7 100644 +index d20e383..26ffd96 100644 --- a/vendor/cilium/install/kubernetes/cilium/templates/cilium-envoy/daemonset.yaml +++ b/helm/cilium/templates/cilium-envoy/daemonset.yaml -@@ -69,7 +69,7 @@ spec: +@@ -65,7 +65,7 @@ spec: {{- end }} containers: - name: cilium-envoy diff --git a/diffs/helm__cilium__templates__cilium-nodeinit__daemonset.yaml.patch b/diffs/helm__cilium__templates__cilium-nodeinit__daemonset.yaml.patch index 026622fc..f649355f 100644 --- a/diffs/helm__cilium__templates__cilium-nodeinit__daemonset.yaml.patch +++ b/diffs/helm__cilium__templates__cilium-nodeinit__daemonset.yaml.patch @@ -1,5 +1,5 @@ diff --git a/vendor/cilium/install/kubernetes/cilium/templates/cilium-nodeinit/daemonset.yaml b/helm/cilium/templates/cilium-nodeinit/daemonset.yaml -index 3ed0926..e268da7 100644 +index c92eabf..86492b1 100644 --- a/vendor/cilium/install/kubernetes/cilium/templates/cilium-nodeinit/daemonset.yaml +++ b/helm/cilium/templates/cilium-nodeinit/daemonset.yaml @@ -58,7 +58,7 @@ spec: diff --git a/diffs/helm__cilium__templates__cilium-operator__deployment.yaml.patch b/diffs/helm__cilium__templates__cilium-operator__deployment.yaml.patch index de11ebc3..58142799 100644 --- a/diffs/helm__cilium__templates__cilium-operator__deployment.yaml.patch +++ b/diffs/helm__cilium__templates__cilium-operator__deployment.yaml.patch @@ -1,5 +1,5 @@ diff --git a/vendor/cilium/install/kubernetes/cilium/templates/cilium-operator/deployment.yaml b/helm/cilium/templates/cilium-operator/deployment.yaml -index 4f4450e..cd73c8a 100644 +index 5c6c467..53ddcae 100644 --- a/vendor/cilium/install/kubernetes/cilium/templates/cilium-operator/deployment.yaml +++ b/helm/cilium/templates/cilium-operator/deployment.yaml @@ -71,7 +71,7 @@ spec: diff --git a/diffs/helm__cilium__templates__cilium-preflight__daemonset.yaml.patch b/diffs/helm__cilium__templates__cilium-preflight__daemonset.yaml.patch index 9d605044..419cc9fb 100644 --- a/diffs/helm__cilium__templates__cilium-preflight__daemonset.yaml.patch +++ b/diffs/helm__cilium__templates__cilium-preflight__daemonset.yaml.patch @@ -1,5 +1,5 @@ diff --git a/vendor/cilium/install/kubernetes/cilium/templates/cilium-preflight/daemonset.yaml b/helm/cilium/templates/cilium-preflight/daemonset.yaml -index b0f646d..f9ace4d 100644 +index b522861..3d0b6d2 100644 --- a/vendor/cilium/install/kubernetes/cilium/templates/cilium-preflight/daemonset.yaml +++ b/helm/cilium/templates/cilium-preflight/daemonset.yaml @@ -42,7 +42,7 @@ spec: diff --git a/diffs/helm__cilium__templates__cilium-preflight__deployment.yaml.patch b/diffs/helm__cilium__templates__cilium-preflight__deployment.yaml.patch index d62412d4..692fd5c1 100644 --- a/diffs/helm__cilium__templates__cilium-preflight__deployment.yaml.patch +++ b/diffs/helm__cilium__templates__cilium-preflight__deployment.yaml.patch @@ -1,5 +1,5 @@ diff --git a/vendor/cilium/install/kubernetes/cilium/templates/cilium-preflight/deployment.yaml b/helm/cilium/templates/cilium-preflight/deployment.yaml -index af0a31b..9c259d4 100644 +index 1f87d20..78ad792 100644 --- a/vendor/cilium/install/kubernetes/cilium/templates/cilium-preflight/deployment.yaml +++ b/helm/cilium/templates/cilium-preflight/deployment.yaml @@ -37,7 +37,7 @@ spec: diff --git a/diffs/helm__cilium__templates__clustermesh-apiserver__deployment.yaml.patch b/diffs/helm__cilium__templates__clustermesh-apiserver__deployment.yaml.patch index 2461cd67..8a22f979 100644 --- a/diffs/helm__cilium__templates__clustermesh-apiserver__deployment.yaml.patch +++ b/diffs/helm__cilium__templates__clustermesh-apiserver__deployment.yaml.patch @@ -1,5 +1,5 @@ diff --git a/vendor/cilium/install/kubernetes/cilium/templates/clustermesh-apiserver/deployment.yaml b/helm/cilium/templates/clustermesh-apiserver/deployment.yaml -index 6c5e6c3..332c655 100644 +index f0d551b..a91d4fb 100644 --- a/vendor/cilium/install/kubernetes/cilium/templates/clustermesh-apiserver/deployment.yaml +++ b/helm/cilium/templates/clustermesh-apiserver/deployment.yaml @@ -48,7 +48,7 @@ spec: diff --git a/diffs/helm__cilium__templates__etcd-operator__cilium-etcd-operator-deployment.yaml.patch b/diffs/helm__cilium__templates__etcd-operator__cilium-etcd-operator-deployment.yaml.patch index e9854995..3886fddb 100644 --- a/diffs/helm__cilium__templates__etcd-operator__cilium-etcd-operator-deployment.yaml.patch +++ b/diffs/helm__cilium__templates__etcd-operator__cilium-etcd-operator-deployment.yaml.patch @@ -1,5 +1,5 @@ diff --git a/vendor/cilium/install/kubernetes/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml b/helm/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml -index 5946219..e5b730b 100644 +index 7aefc0d..9802aed 100644 --- a/vendor/cilium/install/kubernetes/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml +++ b/helm/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml @@ -94,7 +94,7 @@ spec: diff --git a/diffs/helm__cilium__templates__hubble-relay__deployment.yaml.patch b/diffs/helm__cilium__templates__hubble-relay__deployment.yaml.patch index 79e06221..512cdd2f 100644 --- a/diffs/helm__cilium__templates__hubble-relay__deployment.yaml.patch +++ b/diffs/helm__cilium__templates__hubble-relay__deployment.yaml.patch @@ -1,5 +1,5 @@ diff --git a/vendor/cilium/install/kubernetes/cilium/templates/hubble-relay/deployment.yaml b/helm/cilium/templates/hubble-relay/deployment.yaml -index 52b9eba..525885c 100644 +index 5a5fb35..0040546 100644 --- a/vendor/cilium/install/kubernetes/cilium/templates/hubble-relay/deployment.yaml +++ b/helm/cilium/templates/hubble-relay/deployment.yaml @@ -53,7 +53,7 @@ spec: diff --git a/diffs/helm__cilium__templates__hubble-ui__deployment.yaml.patch b/diffs/helm__cilium__templates__hubble-ui__deployment.yaml.patch index d3081930..726600bf 100644 --- a/diffs/helm__cilium__templates__hubble-ui__deployment.yaml.patch +++ b/diffs/helm__cilium__templates__hubble-ui__deployment.yaml.patch @@ -1,8 +1,8 @@ diff --git a/vendor/cilium/install/kubernetes/cilium/templates/hubble-ui/deployment.yaml b/helm/cilium/templates/hubble-ui/deployment.yaml -index cb6bd5d..f567cac 100644 +index 105907a..3292482 100644 --- a/vendor/cilium/install/kubernetes/cilium/templates/hubble-ui/deployment.yaml +++ b/helm/cilium/templates/hubble-ui/deployment.yaml -@@ -53,7 +53,7 @@ spec: +@@ -52,7 +52,7 @@ spec: {{- end }} containers: - name: frontend @@ -11,7 +11,7 @@ index cb6bd5d..f567cac 100644 imagePullPolicy: {{ .Values.hubble.ui.frontend.image.pullPolicy }} ports: - name: http -@@ -89,7 +89,7 @@ spec: +@@ -88,7 +88,7 @@ spec: {{- toYaml . | trim | nindent 10 }} {{- end }} - name: backend diff --git a/diffs/helm__cilium__values.yaml.tmpl.patch b/diffs/helm__cilium__values.yaml.tmpl.patch index c455c52e..a7d4dc24 100644 --- a/diffs/helm__cilium__values.yaml.tmpl.patch +++ b/diffs/helm__cilium__values.yaml.tmpl.patch @@ -1,5 +1,5 @@ diff --git a/vendor/cilium/install/kubernetes/cilium/values.yaml.tmpl b/helm/cilium/values.yaml.tmpl -index 679b4ca..1ba50fc 100644 +index d130050..1ad0115 100644 --- a/vendor/cilium/install/kubernetes/cilium/values.yaml.tmpl +++ b/helm/cilium/values.yaml.tmpl @@ -8,6 +8,9 @@ @@ -869,7 +869,7 @@ index 679b4ca..1ba50fc 100644 repository: "${CLUSTERMESH_APISERVER_REPO}" tag: "${CILIUM_VERSION}" # clustermesh-apiserver-digest -@@ -3059,12 +3290,17 @@ clustermesh: +@@ -3056,11 +3287,17 @@ clustermesh: # For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 annotations: {} @@ -885,12 +885,11 @@ index 679b4ca..1ba50fc 100644 + # @schema # -- The internalTrafficPolicy of service used for apiserver access. - internalTrafficPolicy: -- + internalTrafficPolicy: Cluster - # -- Number of replicas run for the clustermesh-apiserver deployment. - replicas: 1 -@@ -3103,9 +3339,15 @@ clustermesh: + # @schema + # type: [null, string] +@@ -3115,9 +3352,15 @@ clustermesh: # -- enable PodDisruptionBudget # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ enabled: false @@ -906,7 +905,7 @@ index 679b4ca..1ba50fc 100644 # -- Maximum number/percentage of pods that may be made unavailable maxUnavailable: 1 -@@ -3154,6 +3396,9 @@ clustermesh: +@@ -3166,6 +3409,9 @@ clustermesh: updateStrategy: type: RollingUpdate rollingUpdate: @@ -916,7 +915,7 @@ index 679b4ca..1ba50fc 100644 maxUnavailable: 1 # -- The priority class to use for clustermesh-apiserver -@@ -3276,24 +3521,42 @@ clustermesh: +@@ -3288,24 +3534,42 @@ clustermesh: # -- Interval for scrape metrics (apiserver metrics) interval: "10s" @@ -959,7 +958,7 @@ index 679b4ca..1ba50fc 100644 # -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics) metricRelabelings: ~ -@@ -3401,7 +3664,7 @@ authentication: +@@ -3418,7 +3682,7 @@ authentication: existingNamespace: false # -- init container image of SPIRE agent and server initImage: @@ -968,7 +967,7 @@ index 679b4ca..1ba50fc 100644 repository: "${SPIRE_INIT_REPO}" tag: "${SPIRE_INIT_VERSION}" digest: "${SPIRE_INIT_DIGEST}" -@@ -3411,7 +3674,7 @@ authentication: +@@ -3428,7 +3692,7 @@ authentication: agent: # -- SPIRE agent image image: @@ -977,7 +976,7 @@ index 679b4ca..1ba50fc 100644 repository: "${SPIRE_AGENT_REPO}" tag: "${SPIRE_AGENT_VERSION}" digest: "${SPIRE_AGENT_DIGEST}" -@@ -3459,7 +3722,7 @@ authentication: +@@ -3476,7 +3740,7 @@ authentication: server: # -- SPIRE server image image: @@ -986,7 +985,7 @@ index 679b4ca..1ba50fc 100644 repository: "${SPIRE_SERVER_REPO}" tag: "${SPIRE_SERVER_VERSION}" digest: "${SPIRE_SERVER_DIGEST}" -@@ -3499,6 +3762,9 @@ authentication: +@@ -3516,6 +3780,9 @@ authentication: size: 1Gi # -- Access mode of the SPIRE server data storage accessMode: ReadWriteOnce @@ -996,7 +995,7 @@ index 679b4ca..1ba50fc 100644 # -- StorageClass of the SPIRE server data storage storageClass: null # -- Security context to be added to spire server pods. -@@ -3519,6 +3785,9 @@ authentication: +@@ -3536,6 +3803,9 @@ authentication: country: "US" organization: "SPIRE" commonName: "Cilium SPIRE CA" @@ -1006,7 +1005,7 @@ index 679b4ca..1ba50fc 100644 # -- SPIRE server address used by Cilium Operator # # If k8s Service DNS along with port number is used (e.g. ..svc(.*): format), -@@ -3535,3 +3804,40 @@ authentication: +@@ -3552,3 +3822,40 @@ authentication: agentSocketPath: /run/spire/sockets/agent/agent.sock # -- SPIRE connection timeout connectionTimeout: 30s diff --git a/helm/Makefile.defs b/helm/Makefile.defs index 681bf05d..d9145e92 100644 --- a/helm/Makefile.defs +++ b/helm/Makefile.defs @@ -57,11 +57,10 @@ ifeq ($(DOCKER_IMAGE_TAG),) DOCKER_IMAGE_TAG=latest endif -ifeq ($(shell uname -m),aarch64) - ETCD_IMAGE=quay.io/coreos/etcd:v3.3.20-arm64 -else - ETCD_IMAGE=quay.io/coreos/etcd:v3.3.20 -endif +# renovate: datasource=docker depName=gcr.io/etcd-development/etcd +ETCD_IMAGE_VERSION = v3.5.17 +ETCD_IMAGE_SHA = sha256:15b1882f07aeaf357a48fbbcf35a566ae3ea110395704711488ea263fa86838d +ETCD_IMAGE=gcr.io/etcd-development/etcd:$(ETCD_IMAGE_VERSION)@$(ETCD_IMAGE_SHA) CONSUL_IMAGE=consul:1.7.2 @@ -70,8 +69,10 @@ CILIUM_BUILDER_IMAGE=$(shell cat $(ROOT_DIR)/images/cilium/Dockerfile | grep "AR export CILIUM_CLI ?= cilium export KUBECTL ?= kubectl +# renovate: datasource=docker depName=quay.io/goswagger/swagger SWAGGER_VERSION := v0.30.3 -SWAGGER := $(CONTAINER_ENGINE) run -u $(shell id -u):$(shell id -g) --rm -v $(ROOT_DIR):$(ROOT_DIR) -w $(ROOT_DIR) --entrypoint swagger quay.io/goswagger/swagger:$(SWAGGER_VERSION) +SWAGGER_IMAGE_SHA = sha256:3118f9292ba3eb6c9d434932fbae2ef07137b3043c23196bcddcb688a7029526 +SWAGGER := $(CONTAINER_ENGINE) run -u $(shell id -u):$(shell id -g) --rm -v $(ROOT_DIR):$(ROOT_DIR) -w $(ROOT_DIR) --entrypoint swagger quay.io/goswagger/swagger:$(SWAGGER_VERSION)@$(SWAGGER_IMAGE_SHA) # go build/test/clean flags # these are declared here so they are treated explicitly diff --git a/helm/VERSION b/helm/VERSION index 04cc9994..50830c83 100644 --- a/helm/VERSION +++ b/helm/VERSION @@ -1 +1 @@ -1.15.6 +1.15.12 diff --git a/helm/cilium/README.md b/helm/cilium/README.md index e1a69878..cb74caf0 100644 --- a/helm/cilium/README.md +++ b/helm/cilium/README.md @@ -47,7 +47,7 @@ offer from the [Getting Started Guides page](https://docs.cilium.io/en/stable/ge ## Getting Help The best way to get help if you get stuck is to ask a question on the -[Cilium Slack channel](https://cilium.herokuapp.com/). With Cilium +[Cilium Slack channel](https://slack.cilium.io). With Cilium contributors across the globe, there is almost always someone available to help. ## Values @@ -173,7 +173,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. | | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | -| clustermesh.apiserver.image | object | `{"digest":"","override":"","pullPolicy":"IfNotPresent","repository":"giantswarm/cilium-clustermesh-apiserver","tag":"v1.15.6","useDigest":false}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"","override":"","pullPolicy":"IfNotPresent","repository":"giantswarm/cilium-clustermesh-apiserver","tag":"v1.15.12","useDigest":false}` | Clustermesh API server image. | | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. | | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. | | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. | @@ -215,6 +215,8 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.service.annotations | object | `{}` | Annotations for the clustermesh-apiserver For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal" For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 | | clustermesh.apiserver.service.externalTrafficPolicy | string | `"Cluster"` | The externalTrafficPolicy of service used for apiserver access. | | clustermesh.apiserver.service.internalTrafficPolicy | string | `"Cluster"` | The internalTrafficPolicy of service used for apiserver access. | +| clustermesh.apiserver.service.loadBalancerClass | string | `nil` | Configure a loadBalancerClass. Allows to configure the loadBalancerClass on the clustermesh-apiserver LB service in case the Service type is set to LoadBalancer (requires Kubernetes 1.24+). | +| clustermesh.apiserver.service.loadBalancerIP | string | `nil` | Configure a specific loadBalancerIP. Allows to configure a specific loadBalancerIP on the clustermesh-apiserver LB service in case the Service type is set to LoadBalancer. | | clustermesh.apiserver.service.nodePort | int | `32379` | Optional port to use as the node port for apiserver access. WARNING: make sure to configure a different NodePort in each cluster if kube-proxy replacement is enabled, as Cilium is currently affected by a known bug (#24692) when NodePorts are handled by the KPR implementation. If a service with the same NodePort exists both in the local and the remote cluster, all traffic originating from inside the cluster and targeting the corresponding NodePort will be redirected to a local backend, regardless of whether the destination node belongs to the local or the remote cluster. | | clustermesh.apiserver.service.type | string | `"NodePort"` | The type of service used for apiserver access. | | clustermesh.apiserver.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for the clustermesh-apiserver deployment | @@ -279,6 +281,7 @@ contributors across the globe, there is almost always someone available to help. | dnsProxy.preCache | string | `""` | DNS cache data at this path is preloaded on agent startup. | | dnsProxy.proxyPort | int | `0` | Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. | | dnsProxy.proxyResponseMaxDelay | string | `"100ms"` | The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. | +| dnsProxy.socketLingerTimeout | int | `10` | Timeout (in seconds) when closing the connection between the DNS proxy and the upstream server. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background. | | egressGateway.enabled | bool | `false` | Enables egress gateway to redirect and SNAT the traffic that leaves the cluster. | | egressGateway.installRoutes | bool | `false` | Deprecated without a replacement necessary. | | egressGateway.reconciliationTriggerInterval | string | `"1s"` | Time between triggers of egress gateway state reconciliations | @@ -479,7 +482,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. | | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay | | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay | -| hubble.relay.image | object | `{"digest":"","override":"","pullPolicy":"IfNotPresent","repository":"giantswarm/hubble-relay","tag":"v1.15.6","useDigest":false}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"","override":"","pullPolicy":"IfNotPresent","repository":"giantswarm/hubble-relay","tag":"v1.15.12","useDigest":false}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -574,7 +577,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"","override":"","pullPolicy":"IfNotPresent","registry":"gsoci.azurecr.io","repository":"giantswarm/cilium","tag":"v1.15.6","useDigest":false}` | Agent container image. | +| image | object | `{"digest":"","override":"","pullPolicy":"IfNotPresent","registry":"gsoci.azurecr.io","repository":"giantswarm/cilium","tag":"v1.15.12","useDigest":false}` | Agent container image. | | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. | @@ -690,7 +693,7 @@ contributors across the globe, there is almost always someone available to help. | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":"","pullPolicy":"IfNotPresent","repository":"giantswarm/cilium-operator","suffix":"","tag":"v1.15.6","useDigest":false}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":"","pullPolicy":"IfNotPresent","repository":"giantswarm/cilium-operator","suffix":"","tag":"v1.15.12","useDigest":false}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -741,7 +744,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"","override":"","pullPolicy":"IfNotPresent","repository":"giantswarm/cilium","tag":"v1.15.6","useDigest":false}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"","override":"","pullPolicy":"IfNotPresent","repository":"giantswarm/cilium","tag":"v1.15.12","useDigest":false}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | @@ -802,6 +805,8 @@ contributors across the globe, there is almost always someone available to help. | startupProbe.periodSeconds | int | `2` | interval between checks of the startup probe | | svcSourceRangeCheck | bool | `true` | Enable check of service source ranges (currently, only for LoadBalancer). | | synchronizeK8sNodes | bool | `true` | Synchronize Kubernetes nodes to kvstore and perform CNP GC. | +| sysctlfix | object | `{"enabled":true}` | Configure sysctl override described in #20072. | +| sysctlfix.enabled | bool | `true` | Enable the sysctl override. When enabled, the init container will mount the /proc of the host so that the `sysctlfix` utility can execute. | | terminationGracePeriodSeconds | int | `1` | Configure termination grace period for cilium-agent DaemonSet. | | tls | object | `{"ca":{"cert":"","certValidityDuration":1095,"key":""},"caBundle":{"enabled":false,"key":"ca.crt","name":"cilium-root-ca.crt","useSecret":false},"secretsBackend":"local"}` | Configure TLS configuration in the agent. | | tls.ca | object | `{"cert":"","certValidityDuration":1095,"key":""}` | Base64 encoded PEM values for the CA certificate and private key. This can be used as common CA to generate certificates used by hubble and clustermesh components. It is neither required nor used when cert-manager is used to generate the certificates. | diff --git a/helm/cilium/README.md.gotmpl b/helm/cilium/README.md.gotmpl index db2d81b7..4aa7da8f 100644 --- a/helm/cilium/README.md.gotmpl +++ b/helm/cilium/README.md.gotmpl @@ -48,7 +48,7 @@ offer from the [Getting Started Guides page](https://docs.cilium.io/en/stable/ge ## Getting Help The best way to get help if you get stuck is to ask a question on the -[Cilium Slack channel](https://cilium.herokuapp.com/). With Cilium +[Cilium Slack channel](https://slack.cilium.io). With Cilium contributors across the globe, there is almost always someone available to help. {{ template "chart.valuesSection" . }} diff --git a/helm/cilium/files/cilium-envoy/configmap/bootstrap-config.json b/helm/cilium/files/cilium-envoy/configmap/bootstrap-config.json index 87939f69..52ccfbc5 100644 --- a/helm/cilium/files/cilium-envoy/configmap/bootstrap-config.json +++ b/helm/cilium/files/cilium-envoy/configmap/bootstrap-config.json @@ -52,6 +52,30 @@ } } ], + "internal_address_config": { + "cidr_ranges": [ + { + "address_prefix": "10.0.0.0", + "prefix_len": 8 + }, + { + "address_prefix": "172.16.0.0", + "prefix_len": 12 + }, + { + "address_prefix": "192.168.0.0", + "prefix_len": 16 + }, + { + "address_prefix": "127.0.0.1", + "prefix_len": 32 + }, + { + "address_prefix": "::1", + "prefix_len": 128 + } + ] + }, "stream_idle_timeout": "0s" } } @@ -118,6 +142,30 @@ } } ], + "internal_address_config": { + "cidr_ranges": [ + { + "address_prefix": "10.0.0.0", + "prefix_len": 8 + }, + { + "address_prefix": "172.16.0.0", + "prefix_len": 12 + }, + { + "address_prefix": "192.168.0.0", + "prefix_len": 16 + }, + { + "address_prefix": "127.0.0.1", + "prefix_len": 32 + }, + { + "address_prefix": "::1", + "prefix_len": 128 + } + ] + }, "stream_idle_timeout": "0s" } } @@ -309,14 +357,13 @@ } } ], - "layeredRuntime": { - "layers": [ + "overload_manager": { + "resource_monitors": [ { - "name": "static_layer_0", - "staticLayer": { - "overload": { - "global_downstream_max_connections": 50000 - } + "name": "envoy.resource_monitors.global_downstream_max_connections", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig", + "max_active_downstream_connections": "50000" } } ] diff --git a/helm/cilium/files/hubble/dashboards/hubble-dashboard.json b/helm/cilium/files/hubble/dashboards/hubble-dashboard.json index 8de5ec1d..0ff1dcbe 100644 --- a/helm/cilium/files/hubble/dashboards/hubble-dashboard.json +++ b/helm/cilium/files/hubble/dashboards/hubble-dashboard.json @@ -3194,7 +3194,23 @@ "style": "dark", "tags": [], "templating": { - "list": [] + "list": [ + { + "current": {}, + "hide": 0, + "includeAll": false, + "label": "Prometheus", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + } + ] }, "time": { "from": "now-6h", diff --git a/helm/cilium/files/hubble/dashboards/hubble-dns-namespace.json b/helm/cilium/files/hubble/dashboards/hubble-dns-namespace.json index d286fdb3..57f804cf 100644 --- a/helm/cilium/files/hubble/dashboards/hubble-dns-namespace.json +++ b/helm/cilium/files/hubble/dashboards/hubble-dns-namespace.json @@ -484,7 +484,7 @@ "includeAll": false, "label": "Data Source", "multi": false, - "name": "prometheus_datasource", + "name": "DS_PROMETHEUS", "options": [], "query": "prometheus", "queryValue": "", diff --git a/helm/cilium/files/hubble/dashboards/hubble-network-overview-namespace.json b/helm/cilium/files/hubble/dashboards/hubble-network-overview-namespace.json index d0cf9d3b..cddb473d 100644 --- a/helm/cilium/files/hubble/dashboards/hubble-network-overview-namespace.json +++ b/helm/cilium/files/hubble/dashboards/hubble-network-overview-namespace.json @@ -883,7 +883,7 @@ "includeAll": false, "label": "Data Source", "multi": false, - "name": "prometheus_datasource", + "name": "DS_PROMETHEUS", "options": [], "query": "prometheus", "queryValue": "", diff --git a/helm/cilium/templates/_helpers.tpl b/helm/cilium/templates/_helpers.tpl index b96b3f87..4ef0bc46 100644 --- a/helm/cilium/templates/_helpers.tpl +++ b/helm/cilium/templates/_helpers.tpl @@ -52,62 +52,7 @@ where: {{- if $priorityClass }} {{- $priorityClass }} {{- else if and $root.Values.enableCriticalPriorityClass $criticalPriorityClass -}} - {{- if and (eq $root.Release.Namespace "kube-system") (semverCompare ">=1.10-0" $root.Capabilities.KubeVersion.Version) -}} - {{- $criticalPriorityClass }} - {{- else if semverCompare ">=1.17-0" $root.Capabilities.KubeVersion.Version -}} - {{- $criticalPriorityClass }} - {{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for ingress. -*/}} -{{- define "ingress.apiVersion" -}} -{{- if semverCompare ">=1.16-0, <1.19-0" .Capabilities.KubeVersion.Version -}} -{{- print "networking.k8s.io/v1beta1" -}} -{{- else if semverCompare "^1.19-0" .Capabilities.KubeVersion.Version -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate backend for Hubble UI ingress. -*/}} -{{- define "ingress.paths" -}} -{{ if semverCompare ">=1.4-0, <1.19-0" .Capabilities.KubeVersion.Version -}} -backend: - serviceName: hubble-ui - servicePort: http -{{- else if semverCompare "^1.19-0" .Capabilities.KubeVersion.Version -}} -pathType: Prefix -backend: - service: - name: hubble-ui - port: - name: http -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for cronjob. -*/}} -{{- define "cronjob.apiVersion" -}} -{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version -}} -{{- print "batch/v1" -}} -{{- else -}} -{{- print "batch/v1beta1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for podDisruptionBudget. -*/}} -{{- define "podDisruptionBudget.apiVersion" -}} -{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version -}} -{{- print "policy/v1" -}} -{{- else -}} -{{- print "policy/v1beta1" -}} + {{- $criticalPriorityClass }} {{- end -}} {{- end -}} diff --git a/helm/cilium/templates/cilium-agent/daemonset.yaml b/helm/cilium/templates/cilium-agent/daemonset.yaml index 2eebb448..6b3c1e36 100644 --- a/helm/cilium/templates/cilium-agent/daemonset.yaml +++ b/helm/cilium/templates/cilium-agent/daemonset.yaml @@ -122,7 +122,6 @@ spec: {{- with .Values.extraArgs }} {{- toYaml . | trim | nindent 8 }} {{- end }} - {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }} startupProbe: httpGet: host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }} @@ -136,7 +135,6 @@ spec: periodSeconds: {{ .Values.startupProbe.periodSeconds }} successThreshold: 1 initialDelaySeconds: 5 - {{- end }} livenessProbe: {{- if or .Values.keepDeprecatedProbes $defaultKeepDeprecatedProbes }} exec: @@ -154,14 +152,6 @@ spec: - name: "brief" value: "true" {{- end }} - {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }} - # The initial delay for the liveness probe is intentionally large to - # avoid an endless kill & restart cycle if in the event that the initial - # bootstrapping takes longer than expected. - # Starting from Kubernetes 1.20, we are using startupProbe instead - # of this field. - initialDelaySeconds: 120 - {{- end }} periodSeconds: {{ .Values.livenessProbe.periodSeconds }} successThreshold: 1 failureThreshold: {{ .Values.livenessProbe.failureThreshold }} @@ -183,9 +173,6 @@ spec: - name: "brief" value: "true" {{- end }} - {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }} - initialDelaySeconds: 5 - {{- end }} periodSeconds: {{ .Values.readinessProbe.periodSeconds }} successThreshold: 1 failureThreshold: {{ .Values.readinessProbe.failureThreshold }} @@ -550,6 +537,8 @@ spec: drop: - ALL {{- end}} + {{- end }} + {{- if .Values.sysctlfix.enabled }} - name: apply-sysctl-overwrites image: {{ include "cilium.image" (list $ .Values.image) | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} @@ -794,7 +783,6 @@ spec: {{- end }} # .Values.cni.install restartPolicy: Always priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }} - serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.cilium.name | quote }} automountServiceAccountToken: {{ .Values.serviceAccounts.cilium.automount }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} @@ -844,8 +832,8 @@ spec: path: /sys/fs/bpf type: DirectoryOrCreate {{- end }} - {{- if .Values.cgroup.autoMount.enabled }} - # To mount cgroup2 filesystem on the host + {{- if or .Values.cgroup.autoMount.enabled .Values.sysctlfix.enabled }} + # To mount cgroup2 filesystem on the host or apply sysctlfix - name: hostproc hostPath: path: /proc diff --git a/helm/cilium/templates/cilium-configmap.yaml b/helm/cilium/templates/cilium-configmap.yaml index f1362e5b..1571fb5a 100644 --- a/helm/cilium/templates/cilium-configmap.yaml +++ b/helm/cilium/templates/cilium-configmap.yaml @@ -1168,6 +1168,9 @@ data: # default DNS proxy to transparent mode in non-chaining modes dnsproxy-enable-transparent-mode: {{ $defaultDNSProxyEnableTransparentMode | quote }} {{- end }} + {{- if (not (kindIs "invalid" .Values.dnsProxy.socketLingerTimeout)) }} + dnsproxy-socket-linger-timeout: {{ .Values.dnsProxy.socketLingerTimeout | quote }} + {{- end }} {{- if .Values.dnsProxy.dnsRejectResponseCode }} tofqdns-dns-reject-response-code: {{ .Values.dnsProxy.dnsRejectResponseCode | quote }} {{- end }} diff --git a/helm/cilium/templates/cilium-envoy/daemonset.yaml b/helm/cilium/templates/cilium-envoy/daemonset.yaml index a9cd4b7d..26ffd964 100644 --- a/helm/cilium/templates/cilium-envoy/daemonset.yaml +++ b/helm/cilium/templates/cilium-envoy/daemonset.yaml @@ -26,10 +26,6 @@ spec: template: metadata: annotations: - {{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled (not .Values.envoy.prometheus.serviceMonitor.enabled) }} - prometheus.io/port: "{{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}" - prometheus.io/scrape: "true" - {{- end }} {{- if .Values.envoy.rollOutPods }} # ensure pods roll when configmap updates cilium.io/cilium-envoy-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-envoy/configmap.yaml") . | sha256sum | quote }} @@ -90,7 +86,6 @@ spec: {{- with .Values.envoy.extraArgs }} {{- toYaml . | trim | nindent 8 }} {{- end }} - {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }} startupProbe: httpGet: host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }} @@ -101,21 +96,12 @@ spec: periodSeconds: {{ .Values.envoy.startupProbe.periodSeconds }} successThreshold: 1 initialDelaySeconds: 5 - {{- end }} livenessProbe: httpGet: host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }} path: /healthz port: {{ .Values.envoy.healthPort }} scheme: HTTP - {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }} - # The initial delay for the liveness probe is intentionally large to - # avoid an endless kill & restart cycle if in the event that the initial - # bootstrapping takes longer than expected. - # Starting from Kubernetes 1.20, we are using startupProbe instead - # of this field. - initialDelaySeconds: 120 - {{- end }} periodSeconds: {{ .Values.envoy.livenessProbe.periodSeconds }} successThreshold: 1 failureThreshold: {{ .Values.envoy.livenessProbe.failureThreshold }} @@ -126,9 +112,6 @@ spec: path: /healthz port: {{ .Values.envoy.healthPort }} scheme: HTTP - {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }} - initialDelaySeconds: 5 - {{- end }} periodSeconds: {{ .Values.envoy.readinessProbe.periodSeconds }} successThreshold: 1 failureThreshold: {{ .Values.envoy.readinessProbe.failureThreshold }} @@ -214,7 +197,6 @@ spec: {{- end }} restartPolicy: Always priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.envoy.priorityClassName "system-node-critical") }} - serviceAccount: {{ .Values.serviceAccounts.envoy.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.envoy.name | quote }} automountServiceAccountToken: {{ .Values.serviceAccounts.envoy.automount }} terminationGracePeriodSeconds: {{ .Values.envoy.terminationGracePeriodSeconds }} diff --git a/helm/cilium/templates/cilium-ingress-service.yaml b/helm/cilium/templates/cilium-ingress-service.yaml index ff6269d2..0e489bda 100644 --- a/helm/cilium/templates/cilium-ingress-service.yaml +++ b/helm/cilium/templates/cilium-ingress-service.yaml @@ -24,14 +24,12 @@ spec: protocol: TCP nodePort: {{ .Values.ingressController.service.secureNodePort }} type: {{ .Values.ingressController.service.type }} - {{- if semverCompare ">=1.24-0" .Capabilities.KubeVersion.Version -}} {{- if .Values.ingressController.service.loadBalancerClass }} loadBalancerClass: {{ .Values.ingressController.service.loadBalancerClass }} {{- end }} {{- if (not (kindIs "invalid" .Values.ingressController.service.allocateLoadBalancerNodePorts)) }} allocateLoadBalancerNodePorts: {{ .Values.ingressController.service.allocateLoadBalancerNodePorts }} {{- end }} - {{- end -}} {{- if .Values.ingressController.service.loadBalancerIP }} loadBalancerIP: {{ .Values.ingressController.service.loadBalancerIP }} {{- end }} diff --git a/helm/cilium/templates/cilium-nodeinit/daemonset.yaml b/helm/cilium/templates/cilium-nodeinit/daemonset.yaml index e268da7b..86492b1b 100644 --- a/helm/cilium/templates/cilium-nodeinit/daemonset.yaml +++ b/helm/cilium/templates/cilium-nodeinit/daemonset.yaml @@ -114,7 +114,6 @@ spec: hostNetwork: true priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.nodeinit.priorityClassName "system-node-critical") }} {{- if .Values.serviceAccounts.nodeinit.enabled }} - serviceAccount: {{ .Values.serviceAccounts.nodeinit.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.nodeinit.name | quote }} automountServiceAccountToken: {{ .Values.serviceAccounts.nodeinit.automount }} {{- end }} diff --git a/helm/cilium/templates/cilium-operator/deployment.yaml b/helm/cilium/templates/cilium-operator/deployment.yaml index cd73c8a6..53ddcaeb 100644 --- a/helm/cilium/templates/cilium-operator/deployment.yaml +++ b/helm/cilium/templates/cilium-operator/deployment.yaml @@ -252,7 +252,6 @@ spec: {{- end }} restartPolicy: Always priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.operator.priorityClassName "system-cluster-critical") }} - serviceAccount: {{ .Values.serviceAccounts.operator.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.operator.name | quote }} automountServiceAccountToken: {{ .Values.serviceAccounts.operator.automount }} {{- with .Values.operator.affinity }} diff --git a/helm/cilium/templates/cilium-operator/poddisruptionbudget.yaml b/helm/cilium/templates/cilium-operator/poddisruptionbudget.yaml index a224b9e6..05b25104 100644 --- a/helm/cilium/templates/cilium-operator/poddisruptionbudget.yaml +++ b/helm/cilium/templates/cilium-operator/poddisruptionbudget.yaml @@ -1,6 +1,6 @@ {{- if and .Values.operator.enabled .Values.operator.podDisruptionBudget.enabled }} {{- $component := .Values.operator.podDisruptionBudget }} -apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: cilium-operator diff --git a/helm/cilium/templates/cilium-preflight/daemonset.yaml b/helm/cilium/templates/cilium-preflight/daemonset.yaml index f9ace4d9..3d0b6d2d 100644 --- a/helm/cilium/templates/cilium-preflight/daemonset.yaml +++ b/helm/cilium/templates/cilium-preflight/daemonset.yaml @@ -176,7 +176,6 @@ spec: dnsPolicy: ClusterFirstWithHostNet restartPolicy: Always priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.preflight.priorityClassName "system-node-critical") }} - serviceAccount: {{ .Values.serviceAccounts.preflight.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.preflight.name | quote }} automountServiceAccountToken: {{ .Values.serviceAccounts.preflight.automount }} terminationGracePeriodSeconds: {{ .Values.preflight.terminationGracePeriodSeconds }} diff --git a/helm/cilium/templates/cilium-preflight/deployment.yaml b/helm/cilium/templates/cilium-preflight/deployment.yaml index 9c259d41..78ad7921 100644 --- a/helm/cilium/templates/cilium-preflight/deployment.yaml +++ b/helm/cilium/templates/cilium-preflight/deployment.yaml @@ -88,7 +88,6 @@ spec: hostNetwork: true restartPolicy: Always priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.preflight.priorityClassName "system-cluster-critical") }} - serviceAccount: {{ .Values.serviceAccounts.preflight.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.preflight.name | quote }} automountServiceAccountToken: {{ .Values.serviceAccounts.preflight.automount }} terminationGracePeriodSeconds: {{ .Values.preflight.terminationGracePeriodSeconds }} diff --git a/helm/cilium/templates/cilium-preflight/poddisruptionbudget.yaml b/helm/cilium/templates/cilium-preflight/poddisruptionbudget.yaml index 4b3c7cb0..c00d9b89 100644 --- a/helm/cilium/templates/cilium-preflight/poddisruptionbudget.yaml +++ b/helm/cilium/templates/cilium-preflight/poddisruptionbudget.yaml @@ -1,6 +1,6 @@ {{- if and .Values.preflight.enabled .Values.preflight.validateCNPs .Values.preflight.podDisruptionBudget.enabled }} {{- $component := .Values.preflight.podDisruptionBudget }} -apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: cilium-pre-flight-check diff --git a/helm/cilium/templates/clustermesh-apiserver/deployment.yaml b/helm/cilium/templates/clustermesh-apiserver/deployment.yaml index 332c6550..a91d4fba 100644 --- a/helm/cilium/templates/clustermesh-apiserver/deployment.yaml +++ b/helm/cilium/templates/clustermesh-apiserver/deployment.yaml @@ -404,7 +404,6 @@ spec: {{- end }} restartPolicy: Always priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.clustermesh.apiserver.priorityClassName "system-cluster-critical") }} - serviceAccount: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} terminationGracePeriodSeconds: {{ .Values.clustermesh.apiserver.terminationGracePeriodSeconds }} automountServiceAccountToken: {{ .Values.serviceAccounts.clustermeshApiserver.automount }} diff --git a/helm/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml b/helm/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml index 4a1bbf7e..a5d30b7b 100644 --- a/helm/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml +++ b/helm/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml @@ -1,6 +1,6 @@ {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.podDisruptionBudget.enabled }} {{- $component := .Values.clustermesh.apiserver.podDisruptionBudget }} -apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: clustermesh-apiserver diff --git a/helm/cilium/templates/clustermesh-apiserver/service.yaml b/helm/cilium/templates/clustermesh-apiserver/service.yaml index 0a7028c5..14daaeb5 100644 --- a/helm/cilium/templates/clustermesh-apiserver/service.yaml +++ b/helm/cilium/templates/clustermesh-apiserver/service.yaml @@ -26,6 +26,9 @@ spec: {{- if and (eq "NodePort" .Values.clustermesh.apiserver.service.type) .Values.clustermesh.apiserver.service.nodePort }} nodePort: {{ .Values.clustermesh.apiserver.service.nodePort }} {{- end }} + {{- if and (eq "LoadBalancer" .Values.clustermesh.apiserver.service.type) .Values.clustermesh.apiserver.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.clustermesh.apiserver.service.loadBalancerClass }} + {{- end }} {{- if and (eq "LoadBalancer" .Values.clustermesh.apiserver.service.type) .Values.clustermesh.apiserver.service.loadBalancerIP }} loadBalancerIP: {{ .Values.clustermesh.apiserver.service.loadBalancerIP }} {{- end }} diff --git a/helm/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml b/helm/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml index 946602b4..8c0e4cd5 100644 --- a/helm/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml +++ b/helm/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml @@ -1,5 +1,5 @@ {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") .Values.clustermesh.apiserver.tls.auto.schedule }} -apiVersion: {{ include "cronjob.apiVersion" . }} +apiVersion: batch/v1 kind: CronJob metadata: name: clustermesh-apiserver-generate-certs diff --git a/helm/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml b/helm/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml index e5b730b5..9802aed8 100644 --- a/helm/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml +++ b/helm/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml @@ -110,7 +110,6 @@ spec: hostNetwork: true priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.clustermesh.apiserver.priorityClassName "system-cluster-critical") }} restartPolicy: Always - serviceAccount: {{ .Values.serviceAccounts.etcd.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.etcd.name | quote }} automountServiceAccountToken: {{ .Values.serviceAccounts.etcd.automount }} {{- with .Values.etcd.nodeSelector }} diff --git a/helm/cilium/templates/etcd-operator/poddisruptionbudget.yaml b/helm/cilium/templates/etcd-operator/poddisruptionbudget.yaml index 5939b4ae..d604e522 100644 --- a/helm/cilium/templates/etcd-operator/poddisruptionbudget.yaml +++ b/helm/cilium/templates/etcd-operator/poddisruptionbudget.yaml @@ -1,6 +1,6 @@ {{- if and .Values.etcd.managed .Values.etcd.podDisruptionBudget.enabled }} {{- $component := .Values.etcd.podDisruptionBudget }} -apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: cilium-etcd-operator diff --git a/helm/cilium/templates/hubble-relay/deployment.yaml b/helm/cilium/templates/hubble-relay/deployment.yaml index 525885cd..0040546d 100644 --- a/helm/cilium/templates/hubble-relay/deployment.yaml +++ b/helm/cilium/templates/hubble-relay/deployment.yaml @@ -71,26 +71,37 @@ spec: protocol: TCP {{- end }} readinessProbe: - {{- include "hubble-relay.probe" . | nindent 12 }} - {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }} - # Starting from Kubernetes 1.20, we are using startupProbe instead - # of this field. - initialDelaySeconds: 5 - {{- end }} + grpc: + port: 4222 + timeoutSeconds: 3 + # livenessProbe will kill the pod, we should be very conservative + # here on failures since killing the pod should be a last resort, and + # we should provide enough time for relay to retry before killing it. livenessProbe: - {{- include "hubble-relay.probe" . | nindent 12 }} - {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }} - # Starting from Kubernetes 1.20, we are using startupProbe instead - # of this field. - initialDelaySeconds: 60 - {{- end }} - {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }} + grpc: + port: 4222 + timeoutSeconds: 10 + # Give relay time to establish connections and make a few retries + # before starting livenessProbes. + initialDelaySeconds: 10 + # 10 second * 12 failures = 2 minutes of failure. + # If relay cannot become healthy after 2 minutes, then killing it + # might resolve whatever issue is occurring. + # + # 10 seconds is a reasonable retry period so we can see if it's + # failing regularly or only sporadically. + periodSeconds: 10 + failureThreshold: 12 startupProbe: - # give the relay one minute to start up - {{- include "hubble-relay.probe" . | nindent 12 }} + grpc: + port: 4222 + # Give relay time to get it's certs and establish connections and + # make a few retries before starting startupProbes. + initialDelaySeconds: 10 + # 20 * 3 seconds = 1 minute of failure before we consider startup as failed. failureThreshold: 20 + # Retry more frequently at startup so that it can be considered started more quickly. periodSeconds: 3 - {{- end }} {{- with .Values.hubble.relay.extraEnv }} env: {{- toYaml . | trim | nindent 12 }} @@ -114,7 +125,6 @@ spec: terminationMessagePolicy: FallbackToLogsOnError restartPolicy: Always priorityClassName: {{ .Values.hubble.relay.priorityClassName }} - serviceAccount: {{ .Values.serviceAccounts.relay.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.relay.name | quote }} automountServiceAccountToken: {{ .Values.serviceAccounts.relay.automount }} terminationGracePeriodSeconds: {{ .Values.hubble.relay.terminationGracePeriodSeconds }} @@ -185,17 +195,3 @@ spec: {{- toYaml . | nindent 6 }} {{- end }} {{- end }} - -{{- define "hubble-relay.probe" }} -{{- /* This distinction can be removed once we drop support for k8s 1.23 */}} -{{- if semverCompare ">=1.24-0" .Capabilities.KubeVersion.Version -}} -grpc: - port: 4222 -{{- else }} -exec: - command: - - grpc_health_probe - - -addr=localhost:4222 -{{- end }} -timeoutSeconds: 3 -{{- end }} diff --git a/helm/cilium/templates/hubble-relay/poddisruptionbudget.yaml b/helm/cilium/templates/hubble-relay/poddisruptionbudget.yaml index 4fd6da9b..6162cb81 100644 --- a/helm/cilium/templates/hubble-relay/poddisruptionbudget.yaml +++ b/helm/cilium/templates/hubble-relay/poddisruptionbudget.yaml @@ -1,6 +1,6 @@ {{- if and .Values.hubble.enabled .Values.hubble.relay.enabled .Values.hubble.relay.podDisruptionBudget.enabled }} {{- $component := .Values.hubble.relay.podDisruptionBudget }} -apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: hubble-relay diff --git a/helm/cilium/templates/hubble-ui/deployment.yaml b/helm/cilium/templates/hubble-ui/deployment.yaml index f567cac1..32924820 100644 --- a/helm/cilium/templates/hubble-ui/deployment.yaml +++ b/helm/cilium/templates/hubble-ui/deployment.yaml @@ -44,7 +44,6 @@ spec: {{- omit . "enabled" | toYaml | nindent 8 }} {{- end }} priorityClassName: {{ .Values.hubble.ui.priorityClassName }} - serviceAccount: {{ .Values.serviceAccounts.ui.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.ui.name | quote }} automountServiceAccountToken: {{ .Values.serviceAccounts.ui.automount }} {{- with .Values.imagePullSecrets }} diff --git a/helm/cilium/templates/hubble-ui/ingress.yaml b/helm/cilium/templates/hubble-ui/ingress.yaml index 2c0ff7d3..348e281d 100644 --- a/helm/cilium/templates/hubble-ui/ingress.yaml +++ b/helm/cilium/templates/hubble-ui/ingress.yaml @@ -1,6 +1,6 @@ {{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.hubble.ui.ingress.enabled }} {{- $baseUrl := .Values.hubble.ui.baseUrl -}} -apiVersion: {{ template "ingress.apiVersion" . }} +apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: hubble-ui @@ -35,6 +35,11 @@ spec: http: paths: - path: {{ $baseUrl | quote }} - {{- include "ingress.paths" $ | nindent 12 }} + pathType: Prefix + backend: + service: + name: hubble-ui + port: + name: http {{- end }} {{- end }} diff --git a/helm/cilium/templates/hubble-ui/poddisruptionbudget.yaml b/helm/cilium/templates/hubble-ui/poddisruptionbudget.yaml index af3b6705..c23e3ad0 100644 --- a/helm/cilium/templates/hubble-ui/poddisruptionbudget.yaml +++ b/helm/cilium/templates/hubble-ui/poddisruptionbudget.yaml @@ -1,6 +1,6 @@ {{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.hubble.ui.podDisruptionBudget.enabled }} {{- $component := .Values.hubble.ui.podDisruptionBudget }} -apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: hubble-ui diff --git a/helm/cilium/templates/hubble/peer-service.yaml b/helm/cilium/templates/hubble/peer-service.yaml index 7ba56456..aec3f889 100644 --- a/helm/cilium/templates/hubble/peer-service.yaml +++ b/helm/cilium/templates/hubble/peer-service.yaml @@ -24,7 +24,5 @@ spec: {{- end }} protocol: TCP targetPort: {{ .Values.hubble.peerService.targetPort }} -{{- if semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion }} internalTrafficPolicy: Local {{- end }} -{{- end }} diff --git a/helm/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml b/helm/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml index 1dd96b18..373d6c54 100644 --- a/helm/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml +++ b/helm/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml @@ -19,4 +19,9 @@ spec: duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} privateKey: rotationPolicy: Always + isCA: false + usages: + - signing + - key encipherment + - client auth {{- end }} diff --git a/helm/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml b/helm/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml index 845b4fb8..c33b912b 100644 --- a/helm/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml +++ b/helm/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml @@ -28,4 +28,9 @@ spec: duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} privateKey: rotationPolicy: Always + isCA: false + usages: + - signing + - key encipherment + - server auth {{- end }} diff --git a/helm/cilium/templates/hubble/tls-certmanager/server-secret.yaml b/helm/cilium/templates/hubble/tls-certmanager/server-secret.yaml index 5f202e10..b34f27c5 100644 --- a/helm/cilium/templates/hubble/tls-certmanager/server-secret.yaml +++ b/helm/cilium/templates/hubble/tls-certmanager/server-secret.yaml @@ -29,4 +29,10 @@ spec: duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} privateKey: rotationPolicy: Always + isCA: false + usages: + - signing + - key encipherment + - server auth + - client auth {{- end }} diff --git a/helm/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml b/helm/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml index 5006666e..64ace187 100644 --- a/helm/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml +++ b/helm/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml @@ -19,4 +19,9 @@ spec: duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} privateKey: rotationPolicy: Always + isCA: false + usages: + - signing + - key encipherment + - client auth {{- end }} diff --git a/helm/cilium/templates/hubble/tls-cronjob/cronjob.yaml b/helm/cilium/templates/hubble/tls-cronjob/cronjob.yaml index fa996608..7d9f7174 100644 --- a/helm/cilium/templates/hubble/tls-cronjob/cronjob.yaml +++ b/helm/cilium/templates/hubble/tls-cronjob/cronjob.yaml @@ -1,5 +1,5 @@ {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") .Values.hubble.tls.auto.schedule }} -apiVersion: {{ include "cronjob.apiVersion" . }} +apiVersion: batch/v1 kind: CronJob metadata: name: hubble-generate-certs diff --git a/helm/cilium/templates/validate.yaml b/helm/cilium/templates/validate.yaml index 3c89e4e3..fabd69fe 100644 --- a/helm/cilium/templates/validate.yaml +++ b/helm/cilium/templates/validate.yaml @@ -1,3 +1,17 @@ +{{/* validate deprecated options are not being used */}} +{{- if .Values.tunnel }} + {{ fail "tunnel was deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }} +{{- end }} +{{- if or (dig "clustermesh" "apiserver" "tls" "ca" "cert" "" .Values.AsMap) (dig "clustermesh" "apiserver" "tls" "ca" "key" "" .Values.AsMap) }} + {{ fail "clustermesh.apiserver.tls.ca.cert and clustermesh.apiserver.tls.ca.key were deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }} +{{- end }} +{{- if .Values.enableK8sEventHandover }} + {{ fail "enableK8sEventHandover was deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }} +{{- end }} +{{- if .Values.enableCnpStatusUpdates }} + {{ fail "enableCnpStatusUpdates was deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }} +{{- end }} + {{/* validate hubble config */}} {{- if and .Values.hubble.ui.enabled (not .Values.hubble.ui.standalone.enabled) }} {{- if not .Values.hubble.relay.enabled }} diff --git a/helm/cilium/values.schema.json b/helm/cilium/values.schema.json index a0a27716..a6d3acb2 100644 --- a/helm/cilium/values.schema.json +++ b/helm/cilium/values.schema.json @@ -1015,6 +1015,18 @@ "Cluster" ] }, + "loadBalancerClass": { + "type": [ + "null", + "string" + ] + }, + "loadBalancerIP": { + "type": [ + "null", + "string" + ] + }, "nodePort": { "type": "integer" }, @@ -1368,6 +1380,9 @@ }, "proxyResponseMaxDelay": { "type": "string" + }, + "socketLingerTimeout": { + "type": "integer" } }, "type": "object" @@ -5064,6 +5079,14 @@ "synchronizeK8sNodes": { "type": "boolean" }, + "sysctlfix": { + "properties": { + "enabled": { + "type": "boolean" + } + }, + "type": "object" + }, "terminationGracePeriodSeconds": { "type": "integer" }, diff --git a/helm/cilium/values.yaml b/helm/cilium/values.yaml index bd03efb0..64d61e02 100644 --- a/helm/cilium/values.yaml +++ b/helm/cilium/values.yaml @@ -168,7 +168,7 @@ image: registry: gsoci.azurecr.io override: "" repository: "giantswarm/cilium" - tag: "v1.15.6" + tag: "v1.15.12" pullPolicy: "IfNotPresent" # cilium-digest digest: "" @@ -1346,7 +1346,7 @@ hubble: image: override: "" repository: "giantswarm/hubble-relay" - tag: "v1.15.6" + tag: "v1.15.12" # hubble-relay-digest digest: "" useDigest: false @@ -2704,7 +2704,7 @@ operator: image: override: "" repository: "giantswarm/cilium-operator" - tag: "v1.15.6" + tag: "v1.15.12" # operator-generic-digest genericDigest: "" # operator-azure-digest @@ -3029,7 +3029,7 @@ preflight: image: override: "" repository: "giantswarm/cilium" - tag: "v1.15.6" + tag: "v1.15.12" # cilium-digest digest: "" useDigest: false @@ -3197,7 +3197,7 @@ clustermesh: image: override: "" repository: "giantswarm/cilium-clustermesh-apiserver" - tag: "v1.15.6" + tag: "v1.15.12" # clustermesh-apiserver-digest digest: "" useDigest: false @@ -3285,9 +3285,6 @@ clustermesh: # NodePort will be redirected to a local backend, regardless of whether the # destination node belongs to the local or the remote cluster. nodePort: 32379 - # -- Optional loadBalancer IP address to use with type LoadBalancer. - # loadBalancerIP: - # -- Annotations for the clustermesh-apiserver # For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal" # For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 @@ -3304,6 +3301,22 @@ clustermesh: # @schema # -- The internalTrafficPolicy of service used for apiserver access. internalTrafficPolicy: Cluster + + # @schema + # type: [null, string] + # @schema + # -- Configure a loadBalancerClass. + # Allows to configure the loadBalancerClass on the clustermesh-apiserver + # LB service in case the Service type is set to LoadBalancer + # (requires Kubernetes 1.24+). + loadBalancerClass: ~ + # @schema + # type: [null, string] + # @schema + # -- Configure a specific loadBalancerIP. + # Allows to configure a specific loadBalancerIP on the clustermesh-apiserver + # LB service in case the Service type is set to LoadBalancer. + loadBalancerIP: ~ # -- Number of replicas run for the clustermesh-apiserver deployment. replicas: 1 @@ -3588,7 +3601,10 @@ cgroup: # memory: 128Mi # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`) hostRoot: /run/cilium/cgroupv2 - +# -- Configure sysctl override described in #20072. +sysctlfix: + # -- Enable the sysctl override. When enabled, the init container will mount the /proc of the host so that the `sysctlfix` utility can execute. + enabled: true # -- Configure whether to enable auto detect of terminating state for endpoints # in order to support graceful termination. enableK8sTerminatingEndpoint: true @@ -3601,6 +3617,8 @@ enableK8sTerminatingEndpoint: true agentNotReadyTaintKey: "node.cilium.io/agent-not-ready" dnsProxy: + # -- Timeout (in seconds) when closing the connection between the DNS proxy and the upstream server. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background. + socketLingerTimeout: 10 # -- DNS response code for rejecting DNS requests, available options are '[nameError refused]'. dnsRejectResponseCode: refused # -- Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present. diff --git a/helm/cilium/values.yaml.tmpl b/helm/cilium/values.yaml.tmpl index 1ba50fcf..1ad01155 100644 --- a/helm/cilium/values.yaml.tmpl +++ b/helm/cilium/values.yaml.tmpl @@ -3282,9 +3282,6 @@ clustermesh: # NodePort will be redirected to a local backend, regardless of whether the # destination node belongs to the local or the remote cluster. nodePort: 32379 - # -- Optional loadBalancer IP address to use with type LoadBalancer. - # loadBalancerIP: - # -- Annotations for the clustermesh-apiserver # For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal" # For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 @@ -3301,6 +3298,22 @@ clustermesh: # @schema # -- The internalTrafficPolicy of service used for apiserver access. internalTrafficPolicy: Cluster + + # @schema + # type: [null, string] + # @schema + # -- Configure a loadBalancerClass. + # Allows to configure the loadBalancerClass on the clustermesh-apiserver + # LB service in case the Service type is set to LoadBalancer + # (requires Kubernetes 1.24+). + loadBalancerClass: ~ + # @schema + # type: [null, string] + # @schema + # -- Configure a specific loadBalancerIP. + # Allows to configure a specific loadBalancerIP on the clustermesh-apiserver + # LB service in case the Service type is set to LoadBalancer. + loadBalancerIP: ~ # -- Number of replicas run for the clustermesh-apiserver deployment. replicas: 1 @@ -3585,7 +3598,10 @@ cgroup: # memory: 128Mi # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`) hostRoot: /run/cilium/cgroupv2 - +# -- Configure sysctl override described in #20072. +sysctlfix: + # -- Enable the sysctl override. When enabled, the init container will mount the /proc of the host so that the `sysctlfix` utility can execute. + enabled: true # -- Configure whether to enable auto detect of terminating state for endpoints # in order to support graceful termination. enableK8sTerminatingEndpoint: true @@ -3598,6 +3614,8 @@ enableK8sTerminatingEndpoint: true agentNotReadyTaintKey: "node.cilium.io/agent-not-ready" dnsProxy: + # -- Timeout (in seconds) when closing the connection between the DNS proxy and the upstream server. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background. + socketLingerTimeout: 10 # -- DNS response code for rejecting DNS requests, available options are '[nameError refused]'. dnsRejectResponseCode: refused # -- Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present. diff --git a/sync/patches/schema/values.yaml.tmpl b/sync/patches/schema/values.yaml.tmpl index 1ba50fcf..1ad01155 100644 --- a/sync/patches/schema/values.yaml.tmpl +++ b/sync/patches/schema/values.yaml.tmpl @@ -3282,9 +3282,6 @@ clustermesh: # NodePort will be redirected to a local backend, regardless of whether the # destination node belongs to the local or the remote cluster. nodePort: 32379 - # -- Optional loadBalancer IP address to use with type LoadBalancer. - # loadBalancerIP: - # -- Annotations for the clustermesh-apiserver # For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal" # For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 @@ -3301,6 +3298,22 @@ clustermesh: # @schema # -- The internalTrafficPolicy of service used for apiserver access. internalTrafficPolicy: Cluster + + # @schema + # type: [null, string] + # @schema + # -- Configure a loadBalancerClass. + # Allows to configure the loadBalancerClass on the clustermesh-apiserver + # LB service in case the Service type is set to LoadBalancer + # (requires Kubernetes 1.24+). + loadBalancerClass: ~ + # @schema + # type: [null, string] + # @schema + # -- Configure a specific loadBalancerIP. + # Allows to configure a specific loadBalancerIP on the clustermesh-apiserver + # LB service in case the Service type is set to LoadBalancer. + loadBalancerIP: ~ # -- Number of replicas run for the clustermesh-apiserver deployment. replicas: 1 @@ -3585,7 +3598,10 @@ cgroup: # memory: 128Mi # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`) hostRoot: /run/cilium/cgroupv2 - +# -- Configure sysctl override described in #20072. +sysctlfix: + # -- Enable the sysctl override. When enabled, the init container will mount the /proc of the host so that the `sysctlfix` utility can execute. + enabled: true # -- Configure whether to enable auto detect of terminating state for endpoints # in order to support graceful termination. enableK8sTerminatingEndpoint: true @@ -3598,6 +3614,8 @@ enableK8sTerminatingEndpoint: true agentNotReadyTaintKey: "node.cilium.io/agent-not-ready" dnsProxy: + # -- Timeout (in seconds) when closing the connection between the DNS proxy and the upstream server. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background. + socketLingerTimeout: 10 # -- DNS response code for rejecting DNS requests, available options are '[nameError refused]'. dnsRejectResponseCode: refused # -- Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present. diff --git a/vendir.lock.yml b/vendir.lock.yml index 9681d62d..2dc32fd6 100644 --- a/vendir.lock.yml +++ b/vendir.lock.yml @@ -2,10 +2,10 @@ apiVersion: vendir.k14s.io/v1alpha1 directories: - contents: - git: - commitTitle: Prepare for release v1.15.6... - sha: a09e05e6b63d82dbc3a1b0de1721a3407c340e7c + commitTitle: Prepare for release v1.15.12... + sha: 1f74fa42d94cdb6a57307b70ea2bb91a99379f1f tags: - - 1.15.6 + - v1.15.12 path: cilium path: vendor - contents: diff --git a/vendir.yml b/vendir.yml index 1ad133d2..4736c112 100644 --- a/vendir.yml +++ b/vendir.yml @@ -7,7 +7,7 @@ directories: git: depth: 1 url: https://github.com/cilium/cilium - ref: "v1.15.6" + ref: "v1.15.12" includePaths: - install/kubernetes/**/* - Makefile.defs