Merge pull request #109 from projectsyn/deps/cilium-1.14

Update Cilium to latest available v1.14 for each install method
projectsyn · May 7, 2024 · d055f06 · d055f06
2 parents 35e6444 + 4553998
commit d055f06
Show file tree

Hide file tree

Showing 30 changed files with 419 additions and 161 deletions.
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -91,10 +91,10 @@ parameters:
 
     olm:
       source:
-        opensource: https://github.com/isovalent/olm-for-cilium/archive/master.tar.gz
+        opensource: https://github.com/isovalent/olm-for-cilium/archive/main.tar.gz
         enterprise: <CILIUM-ENTERPRISE-OLM-MANIFESTS-TARGZ-URL> # Configure the URL in your global defaults.
-      version: "1.13"
-      patchlevel: "8"
+      version: "1.14"
+      patchlevel: "7"
       full_version: ${cilium:olm:version}.${cilium:olm:patchlevel}
       resources:
         requests:
@@ -108,10 +108,10 @@ parameters:
     charts:
       cilium:
         source: https://helm.cilium.io
-        version: "1.13.8"
+        version: "1.14.10"
       cilium-enterprise:
         source: "<CILIUM-ENTERPRISE-CHART-REPO-URL>" # Configure the Chart repository URL in your global defaults
-        version: "1.13.8"
+        version: "1.14.9"
 
     images:
       kubectl:

diff --git a/component/cleanup.libsonnet b/component/cleanup.libsonnet
@@ -31,7 +31,7 @@ local job = kube.Job(name) {
   metadata+: {
     namespace: namespace,
     annotations+: {
-      'argocd.argoproj.io/hook': 'Sync',
+      'argocd.argoproj.io/hook': 'PreSync',
       'argocd.argoproj.io/hook-delete-policy': 'HookSucceeded',
     },
   },

diff --git a/component/olm.jsonnet b/component/olm.jsonnet
@@ -40,28 +40,42 @@ local olmDir =
   else
     error "Unknown release '%s'" % [ params.release ];
 
-local olmFiles = std.filterMap(
-  function(name)
-    // drop hidden files
-    !std.startsWith(name, '.'),
-  function(name) {
-    filename: name,
-    contents: std.parseJson(kap.yaml_load(olmDir + name)),
-  },
-  kap.dir_files_list(olmDir)
+local olmFiles = std.foldl(
+  function(status, file)
+    status {
+      files+: [ file ],
+      has_csv: status.has_csv || (file.contents.kind == 'ClusterServiceVersion'),
+    },
+
+  std.filterMap(
+    function(name)
+      // drop hidden files
+      !std.startsWith(name, '.'),
+    function(name) {
+      filename: name,
+      contents: std.parseJson(kap.yaml_load(olmDir + name)),
+    },
+    kap.dir_files_list(olmDir)
+  ),
+  {
+    files: [],
+    has_csv: false,
+  }
 );
 
-local patchManifests = function(file)
+local patchManifests = function(file, has_csv)
   local hasK8sHost = std.objectHas(helm.cilium_values, 'k8sServiceHost');
   local hasK8sPort = std.objectHas(helm.cilium_values, 'k8sServicePort');
   local metadata_name_map = {
     opensource: {
       CiliumConfig: 'cilium',
       Deployment: 'cilium-olm',
+      OlmRole: 'cilium-olm',
     },
     enterprise: {
       CiliumConfig: 'cilium-enterprise',
       Deployment: 'cilium-ee-olm',
+      OlmRole: 'cilium-ee-olm',
     },
   };
   local deploymentPatch = {
@@ -170,14 +184,38 @@ local patchManifests = function(file)
     file.contents.metadata.namespace == 'cilium'
   ) then
     null
+  else if (
+    !has_csv &&
+    file.contents.kind == 'OperatorGroup' &&
+    file.contents.metadata.namespace == 'cilium'
+  ) then
+    null
+  else if (
+    file.contents.kind == 'Role' &&
+    file.contents.metadata.namespace == 'cilium' &&
+    file.contents.metadata.name == metadata_name_map[params.release].OlmRole
+  ) then
+    file {
+      contents+: {
+        rules: [
+          if r.apiGroups == [ '' ] && r.resources == [ 'events' ] then
+            r {
+              verbs+: [ 'patch' ],
+            }
+          else
+            r
+          for r in super.rules
+        ],
+      },
+    }
   else
     file;
 
 std.foldl(
   function(files, file) files { [std.strReplace(file.filename, '.yaml', '')]: file.contents },
   std.filter(
     function(obj) obj != null,
-    std.map(patchManifests, olmFiles),
+    std.map(function(obj) patchManifests(obj, olmFiles.has_csv), olmFiles.files),
   ),
   {
     '99_cleanup': (import 'cleanup.libsonnet'),

diff --git a/component/render-helm-values.jsonnet b/component/render-helm-values.jsonnet
@@ -47,7 +47,18 @@ local cilium_values = std.prune(
 local helm_values = {
   opensource: cilium_values,
   enterprise: {
-    cilium: cilium_values,
+    cilium: {
+      enterprise: {
+        egressGatewayHA: {
+          // Enable HA egress gateway on Cilium EE by default when the regular
+          // egress gateway is enabled.
+          // we do this before the user-provided values, so users can still
+          // enable the HA egress gateway without enabling the regular egress
+          // gateway.
+          enabled: cilium_values.egressGateway.enabled,
+        },
+      },
+    } + com.makeMergeable(cilium_values),
     'hubble-enterprise': std.prune(params.hubble_enterprise_helm_values),
     'hubble-ui': std.prune(params.hubble_ui_helm_values),
   },
@@ -58,7 +69,7 @@ local legacy_values =
     std.trace(
       'Parameter `helm_values` is deprecated. ' +
       'Please move your configs to `cilium_helm_values`, ' +
-      '`hubble_enterprise_helm_values` or\n  `hubble_ui_helm_values`.',
+      '`hubble_enterprise_helm_values` or `hubble_ui_helm_values`.',
       com.makeMergeable(params.helm_values)
     )
   else

diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -218,6 +218,7 @@ type:: boolean
 default:: `false`
 
 This parameter allows users to set all the configurations necessary to enable the egress gateway policy feature through a single parameter.
+
 The parameter sets the following Helm values:
 
 [source,yaml]
@@ -232,6 +233,9 @@ l7Proxy: false
 Notably, the L7 proxy feature is disabled by default when egress gateway policies are enabled.
 This is recommended by the Cilium documentation, see also https://docs.cilium.io/en/v1.13/network/egress-gateway/#incompatibility-with-other-features[the upstream documentation].
 
+For Cilium EE, the component uses Helm value `egressGateway.enabled` for Helm value `enterprise.egressGatewayHA.enabled` by default.
+It's possible to override this by explicitly setting `egressGateway.enabled=false` and `enterprise.egressGatewayHA.enabled=true` in the component's `cilium_helm_values`.
+
 === `egress_gateway.policies`
 
 [horizontal]

diff --git a/...defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml b/...defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml
@@ -57,6 +57,9 @@ rules:
       - ciliumnetworkpolicies
       - ciliumnodes
       - ciliumnodeconfigs
+      - ciliumcidrgroups
+      - ciliuml2announcementpolicies
+      - ciliumpodippools
     verbs:
       - list
       - watch
@@ -96,5 +99,6 @@ rules:
       - ciliumclusterwidenetworkpolicies/status
       - ciliumendpoints/status
       - ciliumendpoints
+      - ciliuml2announcementpolicies/status
     verbs:
       - patch
diff --git a/...n/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/...n/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml
@@ -49,19 +49,7 @@ spec:
                   fieldPath: metadata.namespace
             - name: CILIUM_CLUSTERMESH_CONFIG
               value: /var/lib/cilium/clustermesh/
-            - name: CILIUM_CNI_CHAINING_MODE
-              valueFrom:
-                configMapKeyRef:
-                  key: cni-chaining-mode
-                  name: cilium-config
-                  optional: true
-            - name: CILIUM_CUSTOM_CNI_CONF
-              valueFrom:
-                configMapKeyRef:
-                  key: custom-cni-conf
-                  name: cilium-config
-                  optional: true
-          image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b
+          image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031
           imagePullPolicy: IfNotPresent
           lifecycle:
             postStart:
@@ -70,7 +58,25 @@ spec:
                   - bash
                   - -c
                   - |
-                    /cni-install.sh --enable-debug=false --cni-exclusive=true --log-file=/var/run/cilium/cilium-cni.log
+                    set -o errexit
+                    set -o pipefail
+                    set -o nounset
+
+                    # When running in AWS ENI mode, it's likely that 'aws-node' has
+                    # had a chance to install SNAT iptables rules. These can result
+                    # in dropped traffic, so we should attempt to remove them.
+                    # We do it using a 'postStart' hook since this may need to run
+                    # for nodes which might have already been init'ed but may still
+                    # have dangling rules. This is safe because there are no
+                    # dependencies on anything that is part of the startup script
+                    # itself, and can be safely run multiple times per node (e.g. in
+                    # case of a restart).
+                    if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]];
+                    then
+                        echo 'Deleting iptables rules created by the AWS CNI VPC plugin'
+                        iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore
+                    fi
+                    echo 'Done!'
             preStop:
               exec:
                 command:
@@ -186,7 +192,7 @@ spec:
                 fieldRef:
                   apiVersion: v1
                   fieldPath: metadata.namespace
-          image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b
+          image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031
           imagePullPolicy: IfNotPresent
           name: config
           terminationMessagePolicy: FallbackToLogsOnError
@@ -205,7 +211,7 @@ spec:
               value: /run/cilium/cgroupv2
             - name: BIN_PATH
               value: /var/lib/cni/bin
-          image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b
+          image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031
           imagePullPolicy: IfNotPresent
           name: mount-cgroup
           securityContext:
@@ -235,7 +241,7 @@ spec:
           env:
             - name: BIN_PATH
               value: /var/lib/cni/bin
-          image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b
+          image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031
           imagePullPolicy: IfNotPresent
           name: apply-sysctl-overwrites
           securityContext:
@@ -261,7 +267,7 @@ spec:
             - /bin/bash
             - -c
             - --
-          image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b
+          image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031
           imagePullPolicy: IfNotPresent
           name: mount-bpf-fs
           securityContext:
@@ -286,13 +292,9 @@ spec:
                   key: clean-cilium-bpf-state
                   name: cilium-config
                   optional: true
-          image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b
+          image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031
           imagePullPolicy: IfNotPresent
           name: clean-cilium-state
-          resources:
-            requests:
-              cpu: 100m
-              memory: 100Mi
           securityContext:
             capabilities:
               add:
@@ -316,7 +318,7 @@ spec:
               name: cilium-run
         - command:
             - /install-plugin.sh
-          image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b
+          image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031
           imagePullPolicy: IfNotPresent
           name: install-cni-binaries
           resources:
@@ -378,10 +380,22 @@ spec:
             type: FileOrCreate
           name: xtables-lock
         - name: clustermesh-secrets
-          secret:
+          projected:
             defaultMode: 256
-            optional: true
-            secretName: cilium-clustermesh
+            sources:
+              - secret:
+                  name: cilium-clustermesh
+                  optional: true
+              - secret:
+                  items:
+                    - key: tls.key
+                      path: common-etcd-client.key
+                    - key: tls.crt
+                      path: common-etcd-client.crt
+                    - key: ca.crt
+                      path: common-etcd-client-ca.crt
+                  name: clustermesh-apiserver-remote-cert
+                  optional: true
         - hostPath:
             path: /proc/sys/net
             type: Directory