Use cilium and network-policies from cluster chart (#523)

giantswarm · Feb 23, 2024 · 094a1ee · 094a1ee
1 parent 417c215
commit 094a1ee
Show file tree

Hide file tree

Showing 9 changed files with 51 additions and 141 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 
 - Chart: Bump `cluster` to v0.9.1. ([#521](https://github.com/giantswarm/cluster-aws/pull/521))
+- Use cilium and network-policies from cluster chart, and remove them from cluster-aws.
 
 ## [0.63.0] - 2024-02-22
 

diff --git a/helm/cluster-aws/Chart.lock b/helm/cluster-aws/Chart.lock
@@ -4,6 +4,6 @@ dependencies:
   version: 0.7.0
 - name: cluster
   repository: https://giantswarm.github.io/cluster-catalog
-  version: 0.9.1
-digest: sha256:487652f84db445490806b4cb1553e81d49917131445b23661908be4f0dd09036
-generated: "2024-02-22T15:55:24.67835+01:00"
+  version: 0.10.0
+digest: sha256:f4cb5320897fce6828fd94851311f9b4dc89ebaee2b9fe2503177281900cd2a9
+generated: "2024-02-23T16:02:43.04619+01:00"
diff --git a/helm/cluster-aws/Chart.yaml b/helm/cluster-aws/Chart.yaml
@@ -19,5 +19,5 @@ dependencies:
     version: "0.7.0"
     repository: "https://giantswarm.github.io/cluster-catalog"
   - name: cluster
-    version: "0.9.1"
+    version: "0.10.0"
     repository: "https://giantswarm.github.io/cluster-catalog"
diff --git a/helm/cluster-aws/README.md b/helm/cluster-aws/README.md
@@ -271,7 +271,7 @@ Properties within the `.global.podSecurityStandards` object
 | **Property** | **Description** | **More Details** |
 | :----------- | :-------------- | :--------------- |
 | `baseDomain` | **Base DNS domain**|**Type:** `string`<br/>|
-| `cluster` | **Cluster** - Helm values for the provider-independent cluster chart|**Type:** `object`<br/>**Default:** `{"providerIntegration":{"clusterAnnotationsTemplateName":"awsConnectivityLabels","components":{"systemd":{"timesyncd":{"ntp":["169.254.169.123"]}}},"connectivity":{"proxy":{"noProxy":{"templateName":"awsNoProxyList","value":["elb.amazonaws.com","169.254.169.254"]}}},"controlPlane":{"kubeadmConfig":{"clusterConfiguration":{"apiServer":{"apiAudiences":{"templateName":"awsApiServerApiAudiences"},"featureGates":[{"enabled":true,"name":"CronJobTimeZone"}],"serviceAccountIssuer":{"clusterDomainPrefix":"irsa"}}},"ignition":{"containerLinuxConfig":{"additionalConfig":{"storage":{"filesystems":[{"mount":{"device":"/dev/xvdc","format":"xfs","label":"etcd","wipeFilesystem":true},"name":"etcd"},{"mount":{"device":"/dev/xvdd","format":"xfs","label":"containerd","wipeFilesystem":true},"name":"containerd"},{"mount":{"device":"/dev/xvde","format":"xfs","label":"kubelet","wipeFilesystem":true},"name":"kubelet"}]},"systemd":{"units":[{"contents":{"install":{"wantedBy":["local-fs-pre.target"]},"mount":{"type":"xfs","what":"/dev/disk/by-label/etcd","where":"/var/lib/etcd"},"unit":{"defaultDependencies":false,"description":"etcd volume"}},"enabled":true,"name":"var-lib-etcd.mount"},{"contents":{"install":{"wantedBy":["local-fs-pre.target"]},"mount":{"type":"xfs","what":"/dev/disk/by-label/kubelet","where":"/var/lib/kubelet"},"unit":{"defaultDependencies":false,"description":"kubelet volume"}},"enabled":true,"name":"var-lib-kubelet.mount"},{"contents":{"install":{"wantedBy":["local-fs-pre.target"]},"mount":{"type":"xfs","what":"/dev/disk/by-label/containerd","where":"/var/lib/containerd"},"unit":{"defaultDependencies":false,"description":"containerd volume"}},"enabled":true,"name":"var-lib-containerd.mount"}]}}}}},"resources":{"infrastructureMachineTemplate":{"group":"infrastructure.cluster.x-k8s.io","kind":"AWSMachineTemplate","version":"v1beta1"},"infrastructureMachineTemplateSpecTemplateName":"controlplane-awsmachinetemplate-spec"}},"pauseProperties":{"global.connectivity.vpcMode":"private"},"provider":"aws","resourcesApi":{"bastionResourceEnabled":false,"clusterResourceEnabled":true,"controlPlaneResourceEnabled":true,"coreDnsHelmReleaseResourceEnabled":true,"helmRepositoryResourcesEnabled":true,"infrastructureCluster":{"group":"infrastructure.cluster.x-k8s.io","kind":"AWSCluster","version":"v1beta1"},"infrastructureMachinePool":{"group":"infrastructure.cluster.x-k8s.io","kind":"AWSMachinePool","version":"v1beta1"},"machineHealthCheckResourceEnabled":true,"machinePoolResourcesEnabled":true,"nodePoolKind":"MachinePool","verticalPodAutoscalerCrdHelmReleaseResourceEnabled":true},"workers":{"defaultNodePools":{"def00":{"customNodeLabels":["label=default"],"instanceType":"r6i.xlarge","maxSize":3,"minSize":3}}}}}`|
+| `cluster` | **Cluster** - Helm values for the provider-independent cluster chart|**Type:** `object`<br/>**Default:** `{"providerIntegration":{"apps":{"cilium":{"configTemplateName":"awsCiliumHelmValues"}},"clusterAnnotationsTemplateName":"awsConnectivityLabels","components":{"systemd":{"timesyncd":{"ntp":["169.254.169.123"]}}},"connectivity":{"proxy":{"noProxy":{"templateName":"awsNoProxyList","value":["elb.amazonaws.com","169.254.169.254"]}}},"controlPlane":{"kubeadmConfig":{"clusterConfiguration":{"apiServer":{"apiAudiences":{"templateName":"awsApiServerApiAudiences"},"featureGates":[{"enabled":true,"name":"CronJobTimeZone"}],"serviceAccountIssuer":{"clusterDomainPrefix":"irsa"}}},"ignition":{"containerLinuxConfig":{"additionalConfig":{"storage":{"filesystems":[{"mount":{"device":"/dev/xvdc","format":"xfs","label":"etcd","wipeFilesystem":true},"name":"etcd"},{"mount":{"device":"/dev/xvdd","format":"xfs","label":"containerd","wipeFilesystem":true},"name":"containerd"},{"mount":{"device":"/dev/xvde","format":"xfs","label":"kubelet","wipeFilesystem":true},"name":"kubelet"}]},"systemd":{"units":[{"contents":{"install":{"wantedBy":["local-fs-pre.target"]},"mount":{"type":"xfs","what":"/dev/disk/by-label/etcd","where":"/var/lib/etcd"},"unit":{"defaultDependencies":false,"description":"etcd volume"}},"enabled":true,"name":"var-lib-etcd.mount"},{"contents":{"install":{"wantedBy":["local-fs-pre.target"]},"mount":{"type":"xfs","what":"/dev/disk/by-label/kubelet","where":"/var/lib/kubelet"},"unit":{"defaultDependencies":false,"description":"kubelet volume"}},"enabled":true,"name":"var-lib-kubelet.mount"},{"contents":{"install":{"wantedBy":["local-fs-pre.target"]},"mount":{"type":"xfs","what":"/dev/disk/by-label/containerd","where":"/var/lib/containerd"},"unit":{"defaultDependencies":false,"description":"containerd volume"}},"enabled":true,"name":"var-lib-containerd.mount"}]}}}}},"resources":{"infrastructureMachineTemplate":{"group":"infrastructure.cluster.x-k8s.io","kind":"AWSMachineTemplate","version":"v1beta1"},"infrastructureMachineTemplateSpecTemplateName":"controlplane-awsmachinetemplate-spec"}},"pauseProperties":{"global.connectivity.vpcMode":"private"},"provider":"aws","resourcesApi":{"bastionResourceEnabled":false,"ciliumHelmReleaseResourceEnabled":true,"clusterResourceEnabled":true,"controlPlaneResourceEnabled":true,"coreDnsHelmReleaseResourceEnabled":true,"helmRepositoryResourcesEnabled":true,"infrastructureCluster":{"group":"infrastructure.cluster.x-k8s.io","kind":"AWSCluster","version":"v1beta1"},"infrastructureMachinePool":{"group":"infrastructure.cluster.x-k8s.io","kind":"AWSMachinePool","version":"v1beta1"},"machineHealthCheckResourceEnabled":true,"machinePoolResourcesEnabled":true,"networkPoliciesHelmReleaseResourceEnabled":true,"nodePoolKind":"MachinePool","verticalPodAutoscalerCrdHelmReleaseResourceEnabled":true},"workers":{"defaultNodePools":{"def00":{"customNodeLabels":["label=default"],"instanceType":"r6i.xlarge","maxSize":3,"minSize":3}}}}}`|
 | `cluster-shared` | **Library chart**|**Type:** `object`<br/>|
 | `managementCluster` | **Management cluster** - Name of the Cluster API cluster managing this workload cluster.|**Type:** `string`<br/>|
 | `provider` | **Cluster API provider name**|**Type:** `string`<br/>|

diff --git a/helm/cluster-aws/templates/_cilium_helmrelease_config.yaml b/helm/cluster-aws/templates/_cilium_helmrelease_config.yaml
@@ -0,0 +1,33 @@
+{{/* AWS-specific cilium Helm values*/}}
+{{/* https://github.com/giantswarm/cilium-app/blob/main/helm/cilium/values.yaml*/}}
+{{- define "awsCiliumHelmValues" }}
+hubble:
+  relay:
+    tolerations:
+      - key: "node.cluster.x-k8s.io/uninitialized"
+        operator: "Exists"
+        effect: "NoSchedule"
+  ui:
+    tolerations:
+      - key: "node.cluster.x-k8s.io/uninitialized"
+        operator: "Exists"
+        effect: "NoSchedule"
+defaultPolicies:
+  enabled: false
+  remove: true
+
+  tolerations:
+    - effect: NoSchedule
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+    - key: CriticalAddonsOnly
+      operator: Exists
+extraPolicies:
+  allowEgressToCoreDNS:
+    enabled: true
+  allowEgressToProxy:
+    enabled: {{ $.Values.global.connectivity.proxy.enabled }}
+    httpProxy: {{ $.Values.global.connectivity.proxy.httpProxy | quote }}
+    httpsProxy: {{ $.Values.global.connectivity.proxy.httpsProxy | quote }}
+{{- end }}
diff --git a/helm/cluster-aws/templates/cilium-helmrelease.yaml b/helm/cluster-aws/templates/cilium-helmrelease.yaml
diff --git a/helm/cluster-aws/templates/netpol-helmrelease.yaml b/helm/cluster-aws/templates/netpol-helmrelease.yaml
diff --git a/helm/cluster-aws/values.schema.json b/helm/cluster-aws/values.schema.json
@@ -190,6 +190,11 @@
             "description": "Helm values for the provider-independent cluster chart",
             "default": {
                 "providerIntegration": {
+                    "apps": {
+                        "cilium": {
+                            "configTemplateName": "awsCiliumHelmValues"
+                        }
+                    },
                     "clusterAnnotationsTemplateName": "awsConnectivityLabels",
                     "components": {
                         "systemd": {
@@ -346,6 +351,7 @@
                     "provider": "aws",
                     "resourcesApi": {
                         "bastionResourceEnabled": false,
+                        "ciliumHelmReleaseResourceEnabled": true,
                         "clusterResourceEnabled": true,
                         "controlPlaneResourceEnabled": true,
                         "coreDnsHelmReleaseResourceEnabled": true,
@@ -362,6 +368,7 @@
                         },
                         "machineHealthCheckResourceEnabled": true,
                         "machinePoolResourcesEnabled": true,
+                        "networkPoliciesHelmReleaseResourceEnabled": true,
                         "nodePoolKind": "MachinePool",
                         "verticalPodAutoscalerCrdHelmReleaseResourceEnabled": true
                     },

diff --git a/helm/cluster-aws/values.yaml b/helm/cluster-aws/values.yaml
@@ -2,6 +2,9 @@
 
 cluster:
   providerIntegration:
+    apps:
+      cilium:
+        configTemplateName: awsCiliumHelmValues
     clusterAnnotationsTemplateName: awsConnectivityLabels
     components:
       systemd:
@@ -101,6 +104,7 @@ cluster:
     provider: aws
     resourcesApi:
       bastionResourceEnabled: false
+      ciliumHelmReleaseResourceEnabled: true
       clusterResourceEnabled: true
       controlPlaneResourceEnabled: true
       coreDnsHelmReleaseResourceEnabled: true
@@ -115,6 +119,7 @@ cluster:
         version: v1beta1
       machineHealthCheckResourceEnabled: true
       machinePoolResourcesEnabled: true
+      networkPoliciesHelmReleaseResourceEnabled: true
       nodePoolKind: MachinePool
       verticalPodAutoscalerCrdHelmReleaseResourceEnabled: true
     workers: