diff --git a/helm/cilium/Chart.yaml b/helm/cilium/Chart.yaml index 358ccf43..eaa35fae 100644 --- a/helm/cilium/Chart.yaml +++ b/helm/cilium/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: cilium displayName: Cilium home: https://cilium.io/ -version: 1.14.4 -appVersion: 1.14.4 +version: 1.14.5 +appVersion: 1.14.5 kubeVersion: ">= 1.16.0-0" icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.14/Documentation/images/logo-solo.svg description: eBPF-based Networking, Security, and Observability diff --git a/helm/cilium/README.md b/helm/cilium/README.md index a088784d..5a726d46 100644 --- a/helm/cilium/README.md +++ b/helm/cilium/README.md @@ -1,6 +1,6 @@ # cilium -![Version: 1.14.4](https://img.shields.io/badge/Version-1.14.4-informational?style=flat-square) ![AppVersion: 1.14.4](https://img.shields.io/badge/AppVersion-1.14.4-informational?style=flat-square) +![Version: 1.14.5](https://img.shields.io/badge/Version-1.14.5-informational?style=flat-square) ![AppVersion: 1.14.5](https://img.shields.io/badge/AppVersion-1.14.5-informational?style=flat-square) Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as @@ -67,9 +67,13 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.agentSocketPath | string | `"/run/spire/sockets/agent/agent.sock"` | SPIRE socket path where the SPIRE workload agent is listening. Applies to both the Cilium Agent and Operator | | authentication.mutual.spire.connectionTimeout | string | `"30s"` | SPIRE connection timeout | | authentication.mutual.spire.enabled | bool | `false` | Enable SPIRE integration (beta) | +| authentication.mutual.spire.install.agent.affinity | object | `{}` | SPIRE agent affinity configuration | | authentication.mutual.spire.install.agent.annotations | object | `{}` | SPIRE agent annotations | | authentication.mutual.spire.install.agent.image | string | `"ghcr.io/spiffe/spire-agent:1.6.3@sha256:8eef9857bf223181ecef10d9bbcd2f7838f3689e9bd2445bede35066a732e823"` | SPIRE agent image | | authentication.mutual.spire.install.agent.labels | object | `{}` | SPIRE agent labels | +| authentication.mutual.spire.install.agent.nodeSelector | object | `{}` | SPIRE agent nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | +| authentication.mutual.spire.install.agent.podSecurityContext | object | `{}` | Security context to be added to spire agent pods. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod | +| authentication.mutual.spire.install.agent.securityContext | object | `{}` | Security context to be added to spire agent containers. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container | | authentication.mutual.spire.install.agent.serviceAccount | object | `{"create":true,"name":"spire-agent"}` | SPIRE agent service account | | authentication.mutual.spire.install.agent.skipKubeletVerification | bool | `true` | SPIRE Workload Attestor kubelet verification. | | authentication.mutual.spire.install.agent.tolerations | list | `[]` | SPIRE agent tolerations configuration ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | @@ -151,12 +155,12 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. | | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | -| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.4","useDigest":false}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.5","useDigest":false}` | Clustermesh API server image. | | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. | | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. | | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. | | clustermesh.apiserver.kvstoremesh.extraVolumeMounts | list | `[]` | Additional KVStoreMesh volumeMounts. | -| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.4","useDigest":false}` | KVStoreMesh image. | +| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.5","useDigest":false}` | KVStoreMesh image. | | clustermesh.apiserver.kvstoremesh.resources | object | `{}` | Resource requests and limits for the KVStoreMesh container | | clustermesh.apiserver.kvstoremesh.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | KVStoreMesh Security context | | clustermesh.apiserver.metrics.enabled | bool | `true` | Enables exporting apiserver metrics in OpenMetrics format. | @@ -308,7 +312,7 @@ contributors across the globe, there is almost always someone available to help. | envoy.extraVolumes | list | `[]` | Additional envoy volumes. | | envoy.healthPort | int | `9878` | TCP port for the health API. | | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s | -| envoy.image | object | `{"digest":"sha256:6b0f2591fef922bf17a46517d5152ea7d6270524bb0e307c77986986677dbcea","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.6-ff0d5d3f77d610040e93c7c7a430d61a0c0b90c1","useDigest":true}` | Envoy container image. | +| envoy.image | object | `{"digest":"sha256:992998398dadfff7117bfa9fdb7c9474fefab7f0237263f7c8114e106c67baca","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.6-ad82c7c56e88989992fd25d8d67747de865c823b","useDigest":true}` | Envoy container image. | | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe | | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe | | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. | @@ -410,9 +414,11 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). | | hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) | | hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. | +| hubble.relay.extraVolumeMounts | list | `[]` | Additional hubble-relay volumeMounts. | +| hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. | | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay | | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay | -| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.4","useDigest":false}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.5","useDigest":false}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -504,7 +510,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.4","useDigest":false}` | Agent container image. | +| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.5","useDigest":false}` | Agent container image. | | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. | @@ -527,6 +533,7 @@ contributors across the globe, there is almost always someone available to help. | ingressController.service.name | string | `"cilium-ingress"` | Service name | | ingressController.service.secureNodePort | string | `nil` | Configure a specific nodePort for secure HTTPS traffic on the shared LB service | | ingressController.service.type | string | `"LoadBalancer"` | Service type for the shared LB service | +| initResources | object | `{}` | resources & limits for the agent init containers | | installNoConntrackIptablesRules | bool | `false` | Install Iptables rules to skip netfilter connection tracking on all pod traffic. This option is only effective when Cilium is running in direct routing and full KPR mode. Moreover, this option cannot be enabled when Cilium is running in a managed Kubernetes environment or in a chained CNI setup. | | ipMasqAgent | object | `{"enabled":false}` | Configure the eBPF-based ip-masq-agent | | ipam.ciliumNodeUpdateRate | string | `"15s"` | Maximum rate at which the CiliumNode custom resource is updated. | @@ -611,7 +618,7 @@ contributors across the globe, there is almost always someone available to help. | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.4","useDigest":false}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.5","useDigest":false}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -649,6 +656,7 @@ contributors across the globe, there is almost always someone available to help. | podAnnotations | object | `{}` | Annotations to be added to agent pods | | podLabels | object | `{}` | Labels to be added to agent pods | | podSecurityContext | object | `{}` | Security Context for cilium-agent pods. | +| policyCIDRMatchMode | string | `nil` | policyCIDRMatchMode is a list of entities that may be selected by CIDR selector. The possible value is "nodes". | | policyEnforcementMode | string | `"default"` | The agent can be put into one of the three policy enforcement modes: default, always and never. ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes | | pprof.address | string | `"localhost"` | Configure pprof listen address for cilium-agent | | pprof.enabled | bool | `false` | Enable pprof for cilium-agent | @@ -658,7 +666,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.4","useDigest":false}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.5","useDigest":false}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | diff --git a/helm/cilium/files/cilium-envoy/configmap/bootstrap-config.json b/helm/cilium/files/cilium-envoy/configmap/bootstrap-config.json index 3d8656c3..ea8984db 100644 --- a/helm/cilium/files/cilium-envoy/configmap/bootstrap-config.json +++ b/helm/cilium/files/cilium-envoy/configmap/bootstrap-config.json @@ -36,7 +36,7 @@ "prefix": "/metrics" }, "route": { - "cluster": "envoy-admin", + "cluster": "/envoy-admin", "prefix_rewrite": "/stats/prometheus" } } @@ -102,7 +102,7 @@ "prefix": "/healthz" }, "route": { - "cluster": "envoy-admin", + "cluster": "/envoy-admin", "prefix_rewrite": "/ready" } } @@ -245,11 +245,11 @@ } }, { - "name": "envoy-admin", + "name": "/envoy-admin", "type": "STATIC", "connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s", "loadAssignment": { - "clusterName": "envoy-admin", + "clusterName": "/envoy-admin", "endpoints": [ { "lbEndpoints": [ diff --git a/helm/cilium/templates/cilium-agent/daemonset.yaml b/helm/cilium/templates/cilium-agent/daemonset.yaml index ac01f755..db7adb8c 100644 --- a/helm/cilium/templates/cilium-agent/daemonset.yaml +++ b/helm/cilium/templates/cilium-agent/daemonset.yaml @@ -403,6 +403,9 @@ spec: volumeMounts: - name: cilium-run mountPath: /var/run/cilium + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.monitor.resources }} resources: {{- toYaml . | trim | nindent 10 }} @@ -517,6 +520,10 @@ spec: - name: apply-sysctl-overwrites image: "{{ .Values.image.registry }}/{{ include "cilium.image" .Values.image }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.initResources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} env: - name: BIN_PATH value: {{ .Values.cni.binPath }} @@ -562,6 +569,10 @@ spec: - name: mount-bpf-fs image: "{{ .Values.image.registry }}/{{ include "cilium.image" .Values.image }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.initResources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} args: - 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf' command: @@ -583,6 +594,10 @@ spec: - name: wait-for-node-init image: "{{ .Values.image.registry }}/{{ include "cilium.image" .Values.image }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.initResources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} command: - sh - -c @@ -654,7 +669,10 @@ spec: mountPropagation: HostToContainer - name: cilium-run mountPath: /var/run/cilium - {{- with .Values.nodeinit.resources }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.initResources }} resources: {{- toYaml . | trim | nindent 10 }} {{- end }} @@ -662,6 +680,10 @@ spec: - name: wait-for-kube-proxy image: "{{ .Values.image.registry }}/{{ include "cilium.image" .Values.image }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.initResources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} securityContext: privileged: true command: diff --git a/helm/cilium/templates/cilium-configmap.yaml b/helm/cilium/templates/cilium-configmap.yaml index 42eca9b8..6543ec32 100644 --- a/helm/cilium/templates/cilium-configmap.yaml +++ b/helm/cilium/templates/cilium-configmap.yaml @@ -189,6 +189,11 @@ data: enable-policy: "{{ lower .Values.policyEnforcementMode }}" {{- end }} +{{- if hasKey .Values "policyCIDRMatchMode" }} + policy-cidr-match-mode: {{ join " " .Values.policyCIDRMatchMode | quote }} +{{- end}} + + {{- if .Values.prometheus.enabled }} # If you want metrics enabled in all of your Cilium agents, set the port for # which the Cilium agents will have their metrics exposed. @@ -792,6 +797,9 @@ data: {{- if (not (kindIs "invalid" .Values.cni.chainingTarget)) }} cni-chaining-target: {{ .Values.cni.chainingTarget | quote }} {{- end}} +{{- if (not (kindIs "invalid" .Values.cni.externalRouting)) }} + cni-external-routing: {{ .Values.cni.externalRouting | quote }} +{{- end}} {{- if .Values.kubeConfigPath }} k8s-kubeconfig-path: {{ .Values.kubeConfigPath | quote }} {{- end }} diff --git a/helm/cilium/templates/cilium-preflight/deployment.yaml b/helm/cilium/templates/cilium-preflight/deployment.yaml index 0bb874d4..b1283c59 100644 --- a/helm/cilium/templates/cilium-preflight/deployment.yaml +++ b/helm/cilium/templates/cilium-preflight/deployment.yaml @@ -56,6 +56,10 @@ spec: - /tmp/ready-validate-cnp initialDelaySeconds: 5 periodSeconds: 5 + {{- with .Values.preflight.extraVolumeMounts }} + volumeMounts: + {{- toYaml . | nindent 10 }} + {{- end }} env: {{- if .Values.k8sServiceHost }} - name: KUBERNETES_SERVICE_HOST @@ -73,11 +77,16 @@ spec: {{- toYaml . | trim | nindent 12 }} {{- end }} terminationMessagePolicy: FallbackToLogsOnError + {{- with .Values.preflight.extraVolumes }} + volumes: + {{- toYaml . | trim | nindent 6 }} + {{- end }} hostNetwork: true restartPolicy: Always priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.preflight.priorityClassName "system-cluster-critical") }} serviceAccount: {{ .Values.serviceAccounts.preflight.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.preflight.name | quote }} + automountServiceAccountToken: {{ .Values.serviceAccounts.preflight.automount }} terminationGracePeriodSeconds: {{ .Values.preflight.terminationGracePeriodSeconds }} {{- with .Values.preflight.affinity }} affinity: diff --git a/helm/cilium/templates/clustermesh-apiserver/deployment.yaml b/helm/cilium/templates/clustermesh-apiserver/deployment.yaml index f5a12813..969fb6fc 100644 --- a/helm/cilium/templates/clustermesh-apiserver/deployment.yaml +++ b/helm/cilium/templates/clustermesh-apiserver/deployment.yaml @@ -82,6 +82,9 @@ spec: volumeMounts: - name: etcd-data-dir mountPath: /var/run/etcd + {{- with .Values.clustermesh.apiserver.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} terminationMessagePolicy: FallbackToLogsOnError {{- with .Values.clustermesh.apiserver.etcd.init.resources }} resources: @@ -132,6 +135,9 @@ spec: readOnly: true - name: etcd-data-dir mountPath: /var/run/etcd + {{- with .Values.clustermesh.apiserver.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} terminationMessagePolicy: FallbackToLogsOnError {{- with .Values.clustermesh.apiserver.etcd.resources }} resources: diff --git a/helm/cilium/templates/hubble-relay/deployment.yaml b/helm/cilium/templates/hubble-relay/deployment.yaml index f82a7cb2..c6831258 100644 --- a/helm/cilium/templates/hubble-relay/deployment.yaml +++ b/helm/cilium/templates/hubble-relay/deployment.yaml @@ -89,6 +89,9 @@ spec: mountPath: /var/lib/hubble-relay/tls readOnly: true {{- end }} + {{- with .Values.hubble.relay.extraVolumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} terminationMessagePolicy: FallbackToLogsOnError restartPolicy: Always priorityClassName: {{ .Values.hubble.relay.priorityClassName }} @@ -159,4 +162,7 @@ spec: path: server.key {{- end }} {{- end }} + {{- with .Values.hubble.relay.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- end }} diff --git a/helm/cilium/templates/spire/agent/daemonset.yaml b/helm/cilium/templates/spire/agent/daemonset.yaml index 758b17c1..f186eaef 100644 --- a/helm/cilium/templates/spire/agent/daemonset.yaml +++ b/helm/cilium/templates/spire/agent/daemonset.yaml @@ -30,6 +30,10 @@ spec: hostNetwork: true dnsPolicy: ClusterFirstWithHostNet serviceAccountName: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} + {{- with .Values.authentication.mutual.spire.install.agent.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} initContainers: - name: init image: docker.io/library/busybox:1.35.0@sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b @@ -42,6 +46,10 @@ spec: - name: spire-agent image: {{ .Values.authentication.mutual.spire.install.agent.image }} args: ["-config", "/run/spire/config/agent.conf"] + {{- with .Values.authentication.mutual.spire.install.agent.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: - name: spire-config mountPath: /run/spire/config @@ -72,6 +80,14 @@ spec: port: 4251 initialDelaySeconds: 5 periodSeconds: 5 + {{- with .Values.authentication.mutual.spire.install.agent.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.authentication.mutual.spire.install.agent.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.authentication.mutual.spire.install.agent.tolerations }} tolerations: {{- toYaml . | trim | nindent 8 }} diff --git a/helm/cilium/values.yaml b/helm/cilium/values.yaml index d57a14a7..8656df07 100644 --- a/helm/cilium/values.yaml +++ b/helm/cilium/values.yaml @@ -150,10 +150,10 @@ rollOutCiliumPods: false # -- Agent container image. image: - registry: gsoci.azurecr.io + registry: docker.io override: ~ repository: "giantswarm/cilium" - tag: "v1.14.4" + tag: "v1.14.5" pullPolicy: "IfNotPresent" # cilium-digest digest: "" @@ -240,6 +240,9 @@ resources: {} # cpu: 100m # memory: 512Mi +# -- resources & limits for the agent init containers +initResources: {} + securityContext: # -- User to run the pod with # runAsUser: 0 @@ -1120,7 +1123,7 @@ hubble: image: override: ~ repository: "giantswarm/hubble-relay" - tag: "v1.14.4" + tag: "v1.14.5" # hubble-relay-digest digest: "" useDigest: false @@ -1188,6 +1191,12 @@ hubble: rollingUpdate: maxUnavailable: 1 + # -- Additional hubble-relay volumes. + extraVolumes: [] + + # -- Additional hubble-relay volumeMounts. + extraVolumeMounts: [] + # -- hubble-relay pod security context podSecurityContext: fsGroup: 65532 @@ -1769,6 +1778,10 @@ nodePort: # ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes policyEnforcementMode: "default" +# -- policyCIDRMatchMode is a list of entities that may be selected by CIDR selector. +# The possible value is "nodes". +policyCIDRMatchMode: + pprof: # -- Enable pprof for cilium-agent enabled: false @@ -1859,9 +1872,9 @@ envoy: image: override: ~ repository: "quay.io/cilium/cilium-envoy" - tag: "v1.26.6-ff0d5d3f77d610040e93c7c7a430d61a0c0b90c1" + tag: "v1.26.6-ad82c7c56e88989992fd25d8d67747de865c823b" pullPolicy: "IfNotPresent" - digest: "sha256:6b0f2591fef922bf17a46517d5152ea7d6270524bb0e307c77986986677dbcea" + digest: "sha256:992998398dadfff7117bfa9fdb7c9474fefab7f0237263f7c8114e106c67baca" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. @@ -2256,7 +2269,7 @@ operator: image: override: ~ repository: "giantswarm/cilium-operator" - tag: "v1.14.4" + tag: "v1.14.5" # operator-generic-digest genericDigest: "" # operator-azure-digest @@ -2543,7 +2556,7 @@ preflight: image: override: ~ repository: "giantswarm/cilium" - tag: "v1.14.4" + tag: "v1.14.5" # cilium-digest digest: "" useDigest: false @@ -2693,7 +2706,7 @@ clustermesh: image: override: ~ repository: "giantswarm/clustermesh-apiserver" - tag: "v1.14.4" + tag: "v1.14.5" # clustermesh-apiserver-digest digest: "" useDigest: false @@ -2740,7 +2753,7 @@ clustermesh: image: override: ~ repository: "quay.io/cilium/kvstoremesh" - tag: "v1.14.4" + tag: "v1.14.5" # kvstoremesh-digest digest: "" useDigest: false @@ -3146,6 +3159,19 @@ authentication: # -- SPIRE agent tolerations configuration # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] + # -- SPIRE agent affinity configuration + affinity: {} + # -- SPIRE agent nodeSelector configuration + # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: {} + # -- Security context to be added to spire agent pods. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # -- Security context to be added to spire agent containers. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} server: # -- SPIRE server image image: ghcr.io/spiffe/spire-server:1.6.3@sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f diff --git a/helm/cilium/values.yaml.tmpl b/helm/cilium/values.yaml.tmpl index 5c72fefa..0d51a72c 100644 --- a/helm/cilium/values.yaml.tmpl +++ b/helm/cilium/values.yaml.tmpl @@ -227,6 +227,9 @@ resources: {} # cpu: 100m # memory: 512Mi +# -- resources & limits for the agent init containers +initResources: {} + securityContext: # -- User to run the pod with # runAsUser: 0 @@ -1175,6 +1178,12 @@ hubble: rollingUpdate: maxUnavailable: 1 + # -- Additional hubble-relay volumes. + extraVolumes: [] + + # -- Additional hubble-relay volumeMounts. + extraVolumeMounts: [] + # -- hubble-relay pod security context podSecurityContext: fsGroup: 65532 @@ -1756,6 +1765,10 @@ nodePort: # ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes policyEnforcementMode: "default" +# -- policyCIDRMatchMode is a list of entities that may be selected by CIDR selector. +# The possible value is "nodes". +policyCIDRMatchMode: + pprof: # -- Enable pprof for cilium-agent enabled: false @@ -1845,9 +1858,9 @@ envoy: image: override: ~ repository: "quay.io/cilium/cilium-envoy" - tag: "v1.26.6-ff0d5d3f77d610040e93c7c7a430d61a0c0b90c1" + tag: "v1.26.6-ad82c7c56e88989992fd25d8d67747de865c823b" pullPolicy: "${PULL_POLICY}" - digest: "sha256:6b0f2591fef922bf17a46517d5152ea7d6270524bb0e307c77986986677dbcea" + digest: "sha256:992998398dadfff7117bfa9fdb7c9474fefab7f0237263f7c8114e106c67baca" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. @@ -3132,6 +3145,19 @@ authentication: # -- SPIRE agent tolerations configuration # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] + # -- SPIRE agent affinity configuration + affinity: {} + # -- SPIRE agent nodeSelector configuration + # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: {} + # -- Security context to be added to spire agent pods. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # -- Security context to be added to spire agent containers. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} server: # -- SPIRE server image image: ghcr.io/spiffe/spire-server:1.6.3@sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f