diff --git a/CHANGELOG.md b/CHANGELOG.md index 1dc9d9ec..d05fdd01 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Changed + +- Upgrade Cilium to [v1.16.3](https://github.com/cilium/cilium/releases/tag/v1.16.3). + ## [0.28.0] - 2024-09-09 ### Changed diff --git a/diffs/helm__cilium__templates___helpers.tpl.patch b/diffs/helm__cilium__templates___helpers.tpl.patch index 316ddd2c..8f3f45d6 100644 --- a/diffs/helm__cilium__templates___helpers.tpl.patch +++ b/diffs/helm__cilium__templates___helpers.tpl.patch @@ -1,5 +1,5 @@ diff --git a/vendor/cilium/install/kubernetes/cilium/templates/_helpers.tpl b/helm/cilium/templates/_helpers.tpl -index bf52b37..f64bf6a 100644 +index 8ae12c1..f2ba717 100644 --- a/vendor/cilium/install/kubernetes/cilium/templates/_helpers.tpl +++ b/helm/cilium/templates/_helpers.tpl @@ -18,11 +18,20 @@ then `include "cilium.image" .Values.image` diff --git a/diffs/helm__cilium__templates__cilium-envoy__daemonset.yaml.patch b/diffs/helm__cilium__templates__cilium-envoy__daemonset.yaml.patch index 987d036e..cbc9dade 100644 --- a/diffs/helm__cilium__templates__cilium-envoy__daemonset.yaml.patch +++ b/diffs/helm__cilium__templates__cilium-envoy__daemonset.yaml.patch @@ -1,8 +1,8 @@ diff --git a/vendor/cilium/install/kubernetes/cilium/templates/cilium-envoy/daemonset.yaml b/helm/cilium/templates/cilium-envoy/daemonset.yaml -index 2dfb7ab..1a8e216 100644 +index c62dea3..64383ad 100644 --- a/vendor/cilium/install/kubernetes/cilium/templates/cilium-envoy/daemonset.yaml +++ b/helm/cilium/templates/cilium-envoy/daemonset.yaml -@@ -69,7 +69,7 @@ spec: +@@ -65,7 +65,7 @@ spec: {{- end }} containers: - name: cilium-envoy diff --git a/diffs/helm__cilium__templates__cilium-operator__deployment.yaml.patch b/diffs/helm__cilium__templates__cilium-operator__deployment.yaml.patch index b1257b14..f0bb3c74 100644 --- a/diffs/helm__cilium__templates__cilium-operator__deployment.yaml.patch +++ b/diffs/helm__cilium__templates__cilium-operator__deployment.yaml.patch @@ -1,5 +1,5 @@ diff --git a/vendor/cilium/install/kubernetes/cilium/templates/cilium-operator/deployment.yaml b/helm/cilium/templates/cilium-operator/deployment.yaml -index 2b0b536..5edb5c9 100644 +index 627a63c..4a86b49 100644 --- a/vendor/cilium/install/kubernetes/cilium/templates/cilium-operator/deployment.yaml +++ b/helm/cilium/templates/cilium-operator/deployment.yaml @@ -71,7 +71,7 @@ spec: diff --git a/helm/Makefile.defs b/helm/Makefile.defs index ea42ab08..fe663903 100644 --- a/helm/Makefile.defs +++ b/helm/Makefile.defs @@ -58,8 +58,8 @@ ifeq ($(DOCKER_IMAGE_TAG),) endif # renovate: datasource=docker depName=gcr.io/etcd-development/etcd -ETCD_IMAGE_VERSION = v3.5.15 -ETCD_IMAGE_SHA = sha256:9a01b7da0a3cde485c03fcf58fef9b2a09c81b4926b2b7d7ae6d1e9b20a2a192 +ETCD_IMAGE_VERSION = v3.5.16 +ETCD_IMAGE_SHA = sha256:0d0a9fe2d8344722acfb6f456beb0c64328b58f51dc6dee6291976e62a7b5a3f ETCD_IMAGE=gcr.io/etcd-development/etcd:$(ETCD_IMAGE_VERSION)@$(ETCD_IMAGE_SHA) CONSUL_IMAGE=consul:1.7.2 diff --git a/helm/Makefile.values b/helm/Makefile.values index 13f5d2ef..6b366ec1 100644 --- a/helm/Makefile.values +++ b/helm/Makefile.values @@ -38,8 +38,8 @@ export CILIUM_NODEINIT_DIGEST:=sha256:8d7b41c4ca45860254b3c19e20210462ef89479bb6 # renovate: datasource=docker export CILIUM_ENVOY_REPO:=quay.io/cilium/cilium-envoy -export CILIUM_ENVOY_VERSION:=v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51 -export CILIUM_ENVOY_DIGEST:=sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b +export CILIUM_ENVOY_VERSION:=v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd +export CILIUM_ENVOY_DIGEST:=sha256:42614a44e508f70d03a04470df5f61e3cffd22462471a0be0544cf116f2c50ba # renovate: datasource=docker export HUBBLE_UI_BACKEND_REPO:=quay.io/cilium/hubble-ui-backend @@ -53,7 +53,7 @@ export HUBBLE_UI_FRONTEND_DIGEST:=sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461 # renovate: datasource=docker export SPIRE_INIT_REPO:=docker.io/library/busybox export SPIRE_INIT_VERSION:=1.36.1 -export SPIRE_INIT_DIGEST:=sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7 +export SPIRE_INIT_DIGEST:=sha256:c230832bd3b0be59a6c47ed64294f9ce71e91b327957920b6929a0caa8353140 # renovate: datasource=docker export SPIRE_SERVER_REPO:=ghcr.io/spiffe/spire-server export SPIRE_SERVER_VERSION:=1.9.6 diff --git a/helm/VERSION b/helm/VERSION index 41c11ffb..c807441c 100644 --- a/helm/VERSION +++ b/helm/VERSION @@ -1 +1 @@ -1.16.1 +1.16.3 diff --git a/helm/cilium/README.md b/helm/cilium/README.md index d3c0834c..16f19c50 100644 --- a/helm/cilium/README.md +++ b/helm/cilium/README.md @@ -84,7 +84,7 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true | | authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. | -| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":false}` | init container image of SPIRE agent and server | +| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:c230832bd3b0be59a6c47ed64294f9ce71e91b327957920b6929a0caa8353140","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":false}` | init container image of SPIRE agent and server | | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into | | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration | | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations | @@ -184,7 +184,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | | clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. | -| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"giantswarm/cilium-clustermesh-apiserver","tag":"v1.16.1","useDigest":false}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"giantswarm/cilium-clustermesh-apiserver","tag":"v1.16.3","useDigest":false}` | Clustermesh API server image. | | clustermesh.apiserver.kvstoremesh.enabled | bool | `true` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. | | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. | | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. | @@ -358,7 +358,7 @@ contributors across the globe, there is almost always someone available to help. | envoy.extraVolumes | list | `[]` | Additional envoy volumes. | | envoy.healthPort | int | `9878` | TCP port for the health API. | | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s | -| envoy.image | object | `{"digest":"sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b","override":null,"pullPolicy":"IfNotPresent","repository":"giantswarm/cilium-envoy","tag":"v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51","useDigest":false}` | Envoy container image. | +| envoy.image | object | `{"digest":"sha256:42614a44e508f70d03a04470df5f61e3cffd22462471a0be0544cf116f2c50ba","override":null,"pullPolicy":"IfNotPresent","repository":"giantswarm/cilium-envoy","tag":"v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd","useDigest":false}` | Envoy container image. | | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe | | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe | | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. | @@ -500,7 +500,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.extraVolumes | list | `[{"emptyDir":{},"name":"tmp-dir"}]` | Additional hubble-relay volumes. | | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay | | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay | -| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"giantswarm/hubble-relay","tag":"v1.16.1","useDigest":false}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"giantswarm/hubble-relay","tag":"v1.16.3","useDigest":false}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -606,7 +606,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","registry":"gsoci.azurecr.io","repository":"giantswarm/cilium","tag":"v1.16.1","useDigest":false}` | Agent container image. | +| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","registry":"gsoci.azurecr.io","repository":"giantswarm/cilium","tag":"v1.16.3","useDigest":false}` | Agent container image. | | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. | @@ -734,7 +734,7 @@ contributors across the globe, there is almost always someone available to help. | operator.hostNetwork | bool | `true` | HostNetwork setting | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"giantswarm/cilium-operator","suffix":"","tag":"v1.16.1","useDigest":false}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"giantswarm/cilium-operator","suffix":"","tag":"v1.16.3","useDigest":false}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -784,7 +784,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"giantswarm/cilium","tag":"v1.16.1","useDigest":false}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"giantswarm/cilium","tag":"v1.16.3","useDigest":false}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | diff --git a/helm/cilium/templates/_helpers.tpl b/helm/cilium/templates/_helpers.tpl index f64bf6a0..f2ba7173 100644 --- a/helm/cilium/templates/_helpers.tpl +++ b/helm/cilium/templates/_helpers.tpl @@ -124,7 +124,7 @@ Convert a map to a comma-separated string: key1=value1,key2=value2 Enable automatic lookup of k8sServiceHost from the cluster-info ConfigMap (kubeadm-based clusters only) */}} {{- define "k8sServiceHost" }} - {{- if eq .Values.k8sServiceHost "auto" }} + {{- if and (eq .Values.k8sServiceHost "auto") (lookup "v1" "ConfigMap" "kube-public" "cluster-info") }} {{- $configmap := (lookup "v1" "ConfigMap" "kube-public" "cluster-info") }} {{- $kubeconfig := get $configmap.data "kubeconfig" }} {{- $k8sServer := get ($kubeconfig | fromYaml) "clusters" | mustFirst | dig "cluster" "server" "" }} @@ -139,7 +139,7 @@ Enable automatic lookup of k8sServiceHost from the cluster-info ConfigMap (kubea Enable automatic lookup of k8sServicePort from the cluster-info ConfigMap (kubeadm-based clusters only) */}} {{- define "k8sServicePort" }} - {{- if eq .Values.k8sServiceHost "auto" }} + {{- if and (eq .Values.k8sServiceHost "auto") (lookup "v1" "ConfigMap" "kube-public" "cluster-info") }} {{- $configmap := (lookup "v1" "ConfigMap" "kube-public" "cluster-info") }} {{- $kubeconfig := get $configmap.data "kubeconfig" }} {{- $k8sServer := get ($kubeconfig | fromYaml) "clusters" | mustFirst | dig "cluster" "server" "" }} diff --git a/helm/cilium/templates/cilium-envoy/daemonset.yaml b/helm/cilium/templates/cilium-envoy/daemonset.yaml index 1a8e2166..64383ad9 100644 --- a/helm/cilium/templates/cilium-envoy/daemonset.yaml +++ b/helm/cilium/templates/cilium-envoy/daemonset.yaml @@ -26,10 +26,6 @@ spec: template: metadata: annotations: - {{- if and .Values.envoy.prometheus.enabled (not .Values.envoy.prometheus.serviceMonitor.enabled) }} - prometheus.io/port: "{{ .Values.envoy.prometheus.port }}" - prometheus.io/scrape: "true" - {{- end }} {{- if .Values.envoy.rollOutPods }} # ensure pods roll when configmap updates cilium.io/cilium-envoy-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-envoy/configmap.yaml") . | sha256sum | quote }} diff --git a/helm/cilium/templates/cilium-envoy/service.yaml b/helm/cilium/templates/cilium-envoy/service.yaml new file mode 100644 index 00000000..a55202a5 --- /dev/null +++ b/helm/cilium/templates/cilium-envoy/service.yaml @@ -0,0 +1,33 @@ +{{- $envoyDS := eq (include "envoyDaemonSetEnabled" .) "true" -}} +{{- if and $envoyDS (not .Values.preflight.enabled) .Values.envoy.prometheus.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: cilium-envoy + namespace: {{ .Release.Namespace }} + {{- if or (not .Values.envoy.prometheus.serviceMonitor.enabled) .Values.envoy.annotations }} + annotations: + {{- if not .Values.envoy.prometheus.serviceMonitor.enabled }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.envoy.prometheus.port | quote }} + {{- end }} + {{- with .Values.envoy.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + labels: + k8s-app: cilium-envoy + app.kubernetes.io/name: cilium-envoy + app.kubernetes.io/part-of: cilium + io.cilium/app: proxy +spec: + clusterIP: None + type: ClusterIP + selector: + k8s-app: cilium-envoy + ports: + - name: envoy-metrics + port: {{ .Values.envoy.prometheus.port }} + protocol: TCP + targetPort: envoy-metrics +{{- end }} diff --git a/helm/cilium/templates/cilium-operator/clusterrole.yaml b/helm/cilium/templates/cilium-operator/clusterrole.yaml index 1bc5de40..0d9a073c 100644 --- a/helm/cilium/templates/cilium-operator/clusterrole.yaml +++ b/helm/cilium/templates/cilium-operator/clusterrole.yaml @@ -27,6 +27,15 @@ rules: {{- end }} {{- end }} {{- end }} +- apiGroups: + - "" + resources: + - configmaps + resourceNames: + - cilium-config + verbs: + # allow patching of the configmap to set annotations + - patch {{- if or .Values.operator.removeNodeTaints .Values.operator.setNodeNetworkStatus (include "hasDuration" .Values.operator.endpointGCInterval) }} - apiGroups: - "" diff --git a/helm/cilium/templates/cilium-operator/deployment.yaml b/helm/cilium/templates/cilium-operator/deployment.yaml index 5edb5c98..4a86b49d 100644 --- a/helm/cilium/templates/cilium-operator/deployment.yaml +++ b/helm/cilium/templates/cilium-operator/deployment.yaml @@ -362,7 +362,7 @@ spec: name: cilium-clustermesh optional: true # note: items are not explicitly listed here, since the entries of this secret - # depend on the peers configured, and that would cause a restart of all agents + # depend on the peers configured, and that would cause a restart of all operators # at every addition/removal. Leaving the field empty makes each secret entry # to be automatically projected into the volume as a file whose name is the key. - secret: @@ -384,5 +384,28 @@ spec: - key: {{ .Values.tls.caBundle.key }} path: common-etcd-client-ca.crt {{- end }} + # note: we configure the volume for the kvstoremesh-specific certificate + # regardless of whether KVStoreMesh is enabled or not, so that it can be + # automatically mounted in case KVStoreMesh gets subsequently enabled, + # without requiring an operator restart. + - secret: + name: clustermesh-apiserver-local-cert + optional: true + items: + - key: tls.key + path: local-etcd-client.key + - key: tls.crt + path: local-etcd-client.crt + {{- if not .Values.tls.caBundle.enabled }} + - key: ca.crt + path: local-etcd-client-ca.crt + {{- else }} + - {{ .Values.tls.caBundle.useSecret | ternary "secret" "configMap" }}: + name: {{ .Values.tls.caBundle.name }} + optional: true + items: + - key: {{ .Values.tls.caBundle.key }} + path: local-etcd-client-ca.crt + {{- end }} {{- end }} {{- end }} diff --git a/helm/cilium/templates/hubble/tls-certmanager/metrics-server-secret.yaml b/helm/cilium/templates/hubble/tls-certmanager/metrics-server-secret.yaml index d7f151ae..d4e263f1 100644 --- a/helm/cilium/templates/hubble/tls-certmanager/metrics-server-secret.yaml +++ b/helm/cilium/templates/hubble/tls-certmanager/metrics-server-secret.yaml @@ -29,4 +29,9 @@ spec: duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} privateKey: rotationPolicy: Always + isCA: false + usages: + - signing + - key encipherment + - server auth {{- end }} diff --git a/helm/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml b/helm/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml index 1dd96b18..373d6c54 100644 --- a/helm/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml +++ b/helm/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml @@ -19,4 +19,9 @@ spec: duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} privateKey: rotationPolicy: Always + isCA: false + usages: + - signing + - key encipherment + - client auth {{- end }} diff --git a/helm/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml b/helm/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml index 845b4fb8..c33b912b 100644 --- a/helm/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml +++ b/helm/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml @@ -28,4 +28,9 @@ spec: duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} privateKey: rotationPolicy: Always + isCA: false + usages: + - signing + - key encipherment + - server auth {{- end }} diff --git a/helm/cilium/templates/hubble/tls-certmanager/server-secret.yaml b/helm/cilium/templates/hubble/tls-certmanager/server-secret.yaml index 5f202e10..b34f27c5 100644 --- a/helm/cilium/templates/hubble/tls-certmanager/server-secret.yaml +++ b/helm/cilium/templates/hubble/tls-certmanager/server-secret.yaml @@ -29,4 +29,10 @@ spec: duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} privateKey: rotationPolicy: Always + isCA: false + usages: + - signing + - key encipherment + - server auth + - client auth {{- end }} diff --git a/helm/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml b/helm/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml index 5006666e..64ace187 100644 --- a/helm/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml +++ b/helm/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml @@ -19,4 +19,9 @@ spec: duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} privateKey: rotationPolicy: Always + isCA: false + usages: + - signing + - key encipherment + - client auth {{- end }} diff --git a/helm/cilium/templates/hubble/tls-cronjob/_job-spec.tpl b/helm/cilium/templates/hubble/tls-cronjob/_job-spec.tpl index 49604160..7f47f21d 100644 --- a/helm/cilium/templates/hubble/tls-cronjob/_job-spec.tpl +++ b/helm/cilium/templates/hubble/tls-cronjob/_job-spec.tpl @@ -54,6 +54,7 @@ spec: - signing - key encipherment - server auth + - client auth validity: {{ $certValidityStr }} {{- if .Values.hubble.relay.enabled }} - name: hubble-relay-client-certs diff --git a/helm/cilium/templates/validate.yaml b/helm/cilium/templates/validate.yaml index 8bc687db..3afc14f1 100644 --- a/helm/cilium/templates/validate.yaml +++ b/helm/cilium/templates/validate.yaml @@ -1,3 +1,47 @@ +{{/* validate deprecated options are not being used */}} + +{{/* Options deprecated in v1.15 and removed in v1.16 */}} +{{- if or + (dig "encryption" "keyFile" "" .Values.AsMap) + (dig "encryption" "mountPath" "" .Values.AsMap) + (dig "encryption" "secretName" "" .Values.AsMap) + (dig "encryption" "interface" "" .Values.AsMap) +}} + {{ fail "encryption.{keyFile,mountPath,secretName,interface} were deprecated in v1.14 and has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }} +{{- end }} +{{- if or + ((dig "proxy" "prometheus" "enabled" "" .Values.AsMap) | toString) + (dig "proxy" "prometheus" "port" "" .Values.AsMap) +}} + {{ fail "proxy.prometheus.enabled and proxy.prometheus.port were deprecated in v1.14 and has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }} +{{- end }} +{{- if (dig "endpointStatus" "" .Values.AsMap) }} + {{ fail "endpointStatus has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }} +{{- end }} +{{- if (dig "remoteNodeIdentity" "" .Values.AsMap) }} + {{ fail "remoteNodeIdentity was deprecated in v1.15 and has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }} +{{- end }} +{{- if (dig "containerRuntime" "integration" "" .Values.AsMap) }} + {{ fail "containerRuntime.integration was deprecated in v1.14 and has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }} +{{- end }} +{{- if (dig "etcd" "managed" "" .Values.AsMap) }} + {{ fail "etcd.managed was deprecated in v1.10 has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }} +{{- end }} + +{{/* Options deprecated in v1.14 and removed in v1.15 */}} +{{- if .Values.tunnel }} + {{ fail "tunnel was deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }} +{{- end }} +{{- if or (dig "clustermesh" "apiserver" "tls" "ca" "cert" "" .Values.AsMap) (dig "clustermesh" "apiserver" "tls" "ca" "key" "" .Values.AsMap) }} + {{ fail "clustermesh.apiserver.tls.ca.cert and clustermesh.apiserver.tls.ca.key were deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }} +{{- end }} +{{- if .Values.enableK8sEventHandover }} + {{ fail "enableK8sEventHandover was deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }} +{{- end }} +{{- if .Values.enableCnpStatusUpdates }} + {{ fail "enableCnpStatusUpdates was deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }} +{{- end }} + {{/* validate hubble config */}} {{- if and .Values.hubble.ui.enabled (not .Values.hubble.ui.standalone.enabled) }} {{- if not .Values.hubble.relay.enabled }} diff --git a/helm/cilium/values.yaml b/helm/cilium/values.yaml index e4755844..fe8777a8 100644 --- a/helm/cilium/values.yaml +++ b/helm/cilium/values.yaml @@ -163,7 +163,7 @@ image: # @schema override: ~ repository: "giantswarm/cilium" - tag: "v1.16.1" + tag: "v1.16.3" pullPolicy: "IfNotPresent" # cilium-digest digest: "" @@ -1323,7 +1323,7 @@ hubble: # @schema override: ~ repository: "giantswarm/hubble-relay" - tag: "v1.16.1" + tag: "v1.16.3" # hubble-relay-digest digest: "" useDigest: false @@ -2205,9 +2205,9 @@ envoy: # @schema override: ~ repository: "giantswarm/cilium-envoy" - tag: "v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51" + tag: "v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd" pullPolicy: "IfNotPresent" - digest: "sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b" + digest: "sha256:42614a44e508f70d03a04470df5f61e3cffd22462471a0be0544cf116f2c50ba" useDigest: false # -- Additional containers added to the cilium Envoy DaemonSet. extraContainers: [] @@ -2521,7 +2521,7 @@ operator: # @schema override: ~ repository: "giantswarm/cilium-operator" - tag: "v1.16.1" + tag: "v1.16.3" # operator-generic-digest genericDigest: "" # operator-azure-digest @@ -2822,7 +2822,7 @@ preflight: # @schema override: ~ repository: "giantswarm/cilium" - tag: "v1.16.1" + tag: "v1.16.3" # cilium-digest digest: "" useDigest: false @@ -2971,7 +2971,7 @@ clustermesh: # @schema override: ~ repository: "giantswarm/cilium-clustermesh-apiserver" - tag: "v1.16.1" + tag: "v1.16.3" # clustermesh-apiserver-digest digest: "" useDigest: false @@ -3472,7 +3472,7 @@ authentication: override: ~ repository: "docker.io/library/busybox" tag: "1.36.1" - digest: "sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7" + digest: "sha256:c230832bd3b0be59a6c47ed64294f9ce71e91b327957920b6929a0caa8353140" useDigest: false pullPolicy: "IfNotPresent" # SPIRE agent configuration diff --git a/vendir.lock.yml b/vendir.lock.yml index b3dda3af..4607b325 100644 --- a/vendir.lock.yml +++ b/vendir.lock.yml @@ -2,10 +2,10 @@ apiVersion: vendir.k14s.io/v1alpha1 directories: - contents: - git: - commitTitle: Prepare for release v1.16.1... - sha: 685790550b375380dd8fac71cc2a37427d78fc40 + commitTitle: Prepare for release v1.16.3... + sha: f221719170636b0e0da2c7b8227c18967a1201c8 tags: - - v1.16.1 + - 1.16.3 path: cilium path: vendor - contents: diff --git a/vendir.yml b/vendir.yml index 6ed484a0..f13ce550 100644 --- a/vendir.yml +++ b/vendir.yml @@ -7,7 +7,7 @@ directories: git: depth: 1 url: https://github.com/cilium/cilium - ref: "v1.16.1" + ref: "v1.16.3" includePaths: - install/kubernetes/**/* - Makefile.defs