diff --git a/class/defaults.yml b/class/defaults.yml index a2bd292b..0472c8f7 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -91,10 +91,10 @@ parameters: olm: source: - opensource: https://github.com/isovalent/olm-for-cilium/archive/master.tar.gz + opensource: https://github.com/isovalent/olm-for-cilium/archive/main.tar.gz enterprise: # Configure the URL in your global defaults. - version: "1.13" - patchlevel: "8" + version: "1.14" + patchlevel: "7" full_version: ${cilium:olm:version}.${cilium:olm:patchlevel} resources: requests: @@ -108,10 +108,10 @@ parameters: charts: cilium: source: https://helm.cilium.io - version: "1.13.8" + version: "1.14.10" cilium-enterprise: source: "" # Configure the Chart repository URL in your global defaults - version: "1.13.8" + version: "1.14.9" images: kubectl: diff --git a/component/cleanup.libsonnet b/component/cleanup.libsonnet index e29fd334..3502ed79 100644 --- a/component/cleanup.libsonnet +++ b/component/cleanup.libsonnet @@ -31,7 +31,7 @@ local job = kube.Job(name) { metadata+: { namespace: namespace, annotations+: { - 'argocd.argoproj.io/hook': 'Sync', + 'argocd.argoproj.io/hook': 'PreSync', 'argocd.argoproj.io/hook-delete-policy': 'HookSucceeded', }, }, diff --git a/component/olm.jsonnet b/component/olm.jsonnet index 824d6f10..dca15c76 100644 --- a/component/olm.jsonnet +++ b/component/olm.jsonnet @@ -40,28 +40,42 @@ local olmDir = else error "Unknown release '%s'" % [ params.release ]; -local olmFiles = std.filterMap( - function(name) - // drop hidden files - !std.startsWith(name, '.'), - function(name) { - filename: name, - contents: std.parseJson(kap.yaml_load(olmDir + name)), - }, - kap.dir_files_list(olmDir) +local olmFiles = std.foldl( + function(status, file) + status { + files+: [ file ], + has_csv: status.has_csv || (file.contents.kind == 'ClusterServiceVersion'), + }, + + std.filterMap( + function(name) + // drop hidden files + !std.startsWith(name, '.'), + function(name) { + filename: name, + contents: std.parseJson(kap.yaml_load(olmDir + name)), + }, + kap.dir_files_list(olmDir) + ), + { + files: [], + has_csv: false, + } ); -local patchManifests = function(file) +local patchManifests = function(file, has_csv) local hasK8sHost = std.objectHas(helm.cilium_values, 'k8sServiceHost'); local hasK8sPort = std.objectHas(helm.cilium_values, 'k8sServicePort'); local metadata_name_map = { opensource: { CiliumConfig: 'cilium', Deployment: 'cilium-olm', + OlmRole: 'cilium-olm', }, enterprise: { CiliumConfig: 'cilium-enterprise', Deployment: 'cilium-ee-olm', + OlmRole: 'cilium-ee-olm', }, }; local deploymentPatch = { @@ -170,6 +184,30 @@ local patchManifests = function(file) file.contents.metadata.namespace == 'cilium' ) then null + else if ( + !has_csv && + file.contents.kind == 'OperatorGroup' && + file.contents.metadata.namespace == 'cilium' + ) then + null + else if ( + file.contents.kind == 'Role' && + file.contents.metadata.namespace == 'cilium' && + file.contents.metadata.name == metadata_name_map[params.release].OlmRole + ) then + file { + contents+: { + rules: [ + if r.apiGroups == [ '' ] && r.resources == [ 'events' ] then + r { + verbs+: [ 'patch' ], + } + else + r + for r in super.rules + ], + }, + } else file; @@ -177,7 +215,7 @@ std.foldl( function(files, file) files { [std.strReplace(file.filename, '.yaml', '')]: file.contents }, std.filter( function(obj) obj != null, - std.map(patchManifests, olmFiles), + std.map(function(obj) patchManifests(obj, olmFiles.has_csv), olmFiles.files), ), { '99_cleanup': (import 'cleanup.libsonnet'), diff --git a/component/render-helm-values.jsonnet b/component/render-helm-values.jsonnet index 4c2a4493..2ce9f473 100644 --- a/component/render-helm-values.jsonnet +++ b/component/render-helm-values.jsonnet @@ -47,7 +47,18 @@ local cilium_values = std.prune( local helm_values = { opensource: cilium_values, enterprise: { - cilium: cilium_values, + cilium: { + enterprise: { + egressGatewayHA: { + // Enable HA egress gateway on Cilium EE by default when the regular + // egress gateway is enabled. + // we do this before the user-provided values, so users can still + // enable the HA egress gateway without enabling the regular egress + // gateway. + enabled: cilium_values.egressGateway.enabled, + }, + }, + } + com.makeMergeable(cilium_values), 'hubble-enterprise': std.prune(params.hubble_enterprise_helm_values), 'hubble-ui': std.prune(params.hubble_ui_helm_values), }, @@ -58,7 +69,7 @@ local legacy_values = std.trace( 'Parameter `helm_values` is deprecated. ' + 'Please move your configs to `cilium_helm_values`, ' + - '`hubble_enterprise_helm_values` or\n `hubble_ui_helm_values`.', + '`hubble_enterprise_helm_values` or `hubble_ui_helm_values`.', com.makeMergeable(params.helm_values) ) else diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index ce8117a8..f1d7f084 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -218,6 +218,7 @@ type:: boolean default:: `false` This parameter allows users to set all the configurations necessary to enable the egress gateway policy feature through a single parameter. + The parameter sets the following Helm values: [source,yaml] @@ -232,6 +233,9 @@ l7Proxy: false Notably, the L7 proxy feature is disabled by default when egress gateway policies are enabled. This is recommended by the Cilium documentation, see also https://docs.cilium.io/en/v1.13/network/egress-gateway/#incompatibility-with-other-features[the upstream documentation]. +For Cilium EE, the component uses Helm value `egressGateway.enabled` for Helm value `enterprise.egressGatewayHA.enabled` by default. +It's possible to override this by explicitly setting `egressGateway.enabled=false` and `enterprise.egressGatewayHA.enabled=true` in the component's `cilium_helm_values`. + === `egress_gateway.policies` [horizontal] diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml index 242018bd..c5a71720 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml @@ -57,6 +57,9 @@ rules: - ciliumnetworkpolicies - ciliumnodes - ciliumnodeconfigs + - ciliumcidrgroups + - ciliuml2announcementpolicies + - ciliumpodippools verbs: - list - watch @@ -96,5 +99,6 @@ rules: - ciliumclusterwidenetworkpolicies/status - ciliumendpoints/status - ciliumendpoints + - ciliuml2announcementpolicies/status verbs: - patch diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index 19a287a5..7aba7980 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -49,19 +49,7 @@ spec: fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - - name: CILIUM_CNI_CHAINING_MODE - valueFrom: - configMapKeyRef: - key: cni-chaining-mode - name: cilium-config - optional: true - - name: CILIUM_CUSTOM_CNI_CONF - valueFrom: - configMapKeyRef: - key: custom-cni-conf - name: cilium-config - optional: true - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -70,7 +58,25 @@ spec: - bash - -c - | - /cni-install.sh --enable-debug=false --cni-exclusive=true --log-file=/var/run/cilium/cilium-cni.log + set -o errexit + set -o pipefail + set -o nounset + + # When running in AWS ENI mode, it's likely that 'aws-node' has + # had a chance to install SNAT iptables rules. These can result + # in dropped traffic, so we should attempt to remove them. + # We do it using a 'postStart' hook since this may need to run + # for nodes which might have already been init'ed but may still + # have dangling rules. This is safe because there are no + # dependencies on anything that is part of the startup script + # itself, and can be safely run multiple times per node (e.g. in + # case of a restart). + if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; + then + echo 'Deleting iptables rules created by the AWS CNI VPC plugin' + iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore + fi + echo 'Done!' preStop: exec: command: @@ -186,7 +192,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -205,7 +211,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -235,7 +241,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -261,7 +267,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -286,13 +292,9 @@ spec: key: clean-cilium-bpf-state name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: clean-cilium-state - resources: - requests: - cpu: 100m - memory: 100Mi securityContext: capabilities: add: @@ -316,7 +318,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -378,10 +380,22 @@ spec: type: FileOrCreate name: xtables-lock - name: clustermesh-secrets - secret: + projected: defaultMode: 256 - optional: true - secretName: cilium-clustermesh + sources: + - secret: + name: cilium-clustermesh + optional: true + - secret: + items: + - key: tls.key + path: common-etcd-client.key + - key: tls.crt + path: common-etcd-client.crt + - key: ca.crt + path: common-etcd-client-ca.crt + name: clustermesh-apiserver-remote-cert + optional: true - hostPath: path: /proc/sys/net type: Directory diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index fe6ba875..ce9a79be 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -15,13 +15,16 @@ data: cluster-name: default cluster-pool-ipv4-cidr: 10.128.0.0/14 cluster-pool-ipv4-mask-size: '23' - cni-uninstall: 'true' + cni-exclusive: 'true' + cni-log-file: /var/run/cilium/cilium-cni.log + cnp-node-status-gc-interval: 0s custom-cni-conf: 'false' debug: 'false' debug-verbose: '' direct-routing-device: ens+ disable-cnp-status-updates: 'true' - disable-endpoint-crd: 'false' + dnsproxy-enable-transparent-mode: 'true' + egress-gateway-reconciliation-trigger-interval: 1s enable-auto-protect-node-port-range: 'true' enable-bgp-control-plane: 'false' enable-bpf-clock-probe: 'false' @@ -34,10 +37,12 @@ data: enable-host-port: 'true' enable-hubble: 'true' enable-ipv4: 'true' + enable-ipv4-big-tcp: 'false' enable-ipv4-masquerade: 'true' enable-ipv6: 'false' enable-ipv6-big-tcp: 'false' enable-ipv6-masquerade: 'true' + enable-k8s-networkpolicy: 'true' enable-k8s-terminating-endpoint: 'true' enable-l2-neigh-discovery: 'true' enable-l7-proxy: 'true' @@ -51,6 +56,7 @@ data: enable-vtep: 'false' enable-well-known-identities: 'false' enable-xt-socket-fallback: 'true' + external-envoy-proxy: 'false' hubble-disable-tls: 'true' hubble-listen-address: :4244 hubble-socket-path: /var/run/cilium/hubble.sock @@ -59,8 +65,15 @@ data: identity-heartbeat-timeout: 30m0s install-no-conntrack-iptables-rules: 'false' ipam: cluster-pool + ipam-cilium-node-update-rate: 15s + k8s-client-burst: '10' + k8s-client-qps: '5' kube-proxy-replacement: partial kube-proxy-replacement-healthz-bind-address: '' + mesh-auth-enabled: 'true' + mesh-auth-gc-interval: 5m0s + mesh-auth-queue-size: '1024' + mesh-auth-rotated-identities-queue-size: '1024' monitor-aggregation: medium monitor-aggregation-flags: all monitor-aggregation-interval: 5s @@ -70,9 +83,14 @@ data: preallocate-bpf-maps: 'false' procfs: /host/proc prometheus-serve-addr: :9962 + proxy-connect-timeout: '2' + proxy-max-connection-duration-seconds: '0' + proxy-max-requests-per-connection: '0' proxy-prometheus-port: '9964' remove-cilium-node-taints: 'true' + routing-mode: tunnel set-cilium-is-up-condition: 'true' + set-cilium-node-taints: 'true' sidecar-istio-proxy-image: cilium/istio_proxy skip-cnp-status-startup-clean: 'false' synchronize-k8s-nodes: 'true' @@ -81,14 +99,14 @@ data: tofqdns-endpoint-max-ip-per-hostname: '50' tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: '10000' - tofqdns-min-ttl: '3600' tofqdns-proxy-response-max-delay: 100ms - tunnel: vxlan + tunnel-protocol: vxlan unmanaged-pod-watcher-interval: '15' vtep-cidr: '' vtep-endpoint: '' vtep-mac: '' vtep-mask: '' + write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist kind: ConfigMap metadata: name: cilium-config diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml index 7f6e0437..9909428c 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -152,6 +152,9 @@ rules: - ciliumnetworkpolicies.cilium.io - ciliumnodes.cilium.io - ciliumnodeconfigs.cilium.io + - ciliumcidrgroups.cilium.io + - ciliuml2announcementpolicies.cilium.io + - ciliumpodippools.cilium.io resources: - customresourcedefinitions verbs: @@ -160,10 +163,17 @@ rules: - cilium.io resources: - ciliumloadbalancerippools + - ciliumpodippools verbs: - get - list - watch + - apiGroups: + - cilium.io + resources: + - ciliumpodippools + verbs: + - create - apiGroups: - cilium.io resources: diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index e117624f..bc21885b 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -16,8 +16,8 @@ spec: name: cilium-operator strategy: rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 + maxSurge: 25% + maxUnavailable: 50% type: RollingUpdate template: metadata: @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.13.8@sha256:324d17fa59f9a5fa5f957f088567cb66f15d8771880f6ced755e79e8e4b085fd + image: quay.io/cilium/operator-generic:v1.14.10@sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -71,6 +71,16 @@ spec: periodSeconds: 10 timeoutSeconds: 3 name: cilium-operator + readinessProbe: + failureThreshold: 5 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9234 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 3 resources: limits: cpu: 100m diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml index bc26ba76..7f549fea 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 data: config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ - \nlisten-address: :4245\ndial-timeout: \nretry-timeout: \nsort-buffer-len-max:\ - \ \nsort-buffer-drain-timeout: \ndisable-client-tls: true\ndisable-server-tls:\ - \ true\n" + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ + \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ + disable-server-tls: true\n" kind: ConfigMap metadata: name: hubble-relay-config diff --git a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 0bf3739b..5b9ed4f8 100644 --- a/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/defaults/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,7 +37,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.13.8@sha256:9e9971ff7a25f9b98810d6c5e623002df740a98bbde58a066b035a31d624846b + image: quay.io/cilium/hubble-relay:v1.14.10@sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0 imagePullPolicy: IfNotPresent livenessProbe: tcpSocket: @@ -49,6 +49,13 @@ spec: readinessProbe: tcpSocket: port: grpc + securityContext: + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/hubble-relay @@ -58,6 +65,8 @@ spec: kubernetes.io/os: linux priorityClassName: null restartPolicy: Always + securityContext: + fsGroup: 65532 serviceAccount: hubble-relay serviceAccountName: hubble-relay terminationGracePeriodSeconds: 1 diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml index 242018bd..c5a71720 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml @@ -57,6 +57,9 @@ rules: - ciliumnetworkpolicies - ciliumnodes - ciliumnodeconfigs + - ciliumcidrgroups + - ciliuml2announcementpolicies + - ciliumpodippools verbs: - list - watch @@ -96,5 +99,6 @@ rules: - ciliumclusterwidenetworkpolicies/status - ciliumendpoints/status - ciliumendpoints + - ciliuml2announcementpolicies/status verbs: - patch diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index 19a287a5..7aba7980 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -49,19 +49,7 @@ spec: fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - - name: CILIUM_CNI_CHAINING_MODE - valueFrom: - configMapKeyRef: - key: cni-chaining-mode - name: cilium-config - optional: true - - name: CILIUM_CUSTOM_CNI_CONF - valueFrom: - configMapKeyRef: - key: custom-cni-conf - name: cilium-config - optional: true - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -70,7 +58,25 @@ spec: - bash - -c - | - /cni-install.sh --enable-debug=false --cni-exclusive=true --log-file=/var/run/cilium/cilium-cni.log + set -o errexit + set -o pipefail + set -o nounset + + # When running in AWS ENI mode, it's likely that 'aws-node' has + # had a chance to install SNAT iptables rules. These can result + # in dropped traffic, so we should attempt to remove them. + # We do it using a 'postStart' hook since this may need to run + # for nodes which might have already been init'ed but may still + # have dangling rules. This is safe because there are no + # dependencies on anything that is part of the startup script + # itself, and can be safely run multiple times per node (e.g. in + # case of a restart). + if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; + then + echo 'Deleting iptables rules created by the AWS CNI VPC plugin' + iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore + fi + echo 'Done!' preStop: exec: command: @@ -186,7 +192,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -205,7 +211,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -235,7 +241,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -261,7 +267,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -286,13 +292,9 @@ spec: key: clean-cilium-bpf-state name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: clean-cilium-state - resources: - requests: - cpu: 100m - memory: 100Mi securityContext: capabilities: add: @@ -316,7 +318,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -378,10 +380,22 @@ spec: type: FileOrCreate name: xtables-lock - name: clustermesh-secrets - secret: + projected: defaultMode: 256 - optional: true - secretName: cilium-clustermesh + sources: + - secret: + name: cilium-clustermesh + optional: true + - secret: + items: + - key: tls.key + path: common-etcd-client.key + - key: tls.crt + path: common-etcd-client.crt + - key: ca.crt + path: common-etcd-client-ca.crt + name: clustermesh-apiserver-remote-cert + optional: true - hostPath: path: /proc/sys/net type: Directory diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index db958a01..b27f2f36 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -15,13 +15,16 @@ data: cluster-name: default cluster-pool-ipv4-cidr: 10.128.0.0/14 cluster-pool-ipv4-mask-size: '23' - cni-uninstall: 'true' + cni-exclusive: 'true' + cni-log-file: /var/run/cilium/cilium-cni.log + cnp-node-status-gc-interval: 0s custom-cni-conf: 'false' debug: 'false' debug-verbose: '' direct-routing-device: ens+ disable-cnp-status-updates: 'true' - disable-endpoint-crd: 'false' + dnsproxy-enable-transparent-mode: 'true' + egress-gateway-reconciliation-trigger-interval: 1s enable-auto-protect-node-port-range: 'true' enable-bgp-control-plane: 'false' enable-bpf-clock-probe: 'false' @@ -34,11 +37,13 @@ data: enable-host-port: 'true' enable-hubble: 'true' enable-ipv4: 'true' + enable-ipv4-big-tcp: 'false' enable-ipv4-egress-gateway: 'true' enable-ipv4-masquerade: 'true' enable-ipv6: 'false' enable-ipv6-big-tcp: 'false' enable-ipv6-masquerade: 'true' + enable-k8s-networkpolicy: 'true' enable-k8s-terminating-endpoint: 'true' enable-l2-neigh-discovery: 'true' enable-l7-proxy: 'false' @@ -52,6 +57,7 @@ data: enable-vtep: 'false' enable-well-known-identities: 'false' enable-xt-socket-fallback: 'true' + external-envoy-proxy: 'false' hubble-disable-tls: 'true' hubble-listen-address: :4244 hubble-socket-path: /var/run/cilium/hubble.sock @@ -60,8 +66,15 @@ data: identity-heartbeat-timeout: 30m0s install-no-conntrack-iptables-rules: 'false' ipam: cluster-pool + ipam-cilium-node-update-rate: 15s + k8s-client-burst: '10' + k8s-client-qps: '5' kube-proxy-replacement: partial kube-proxy-replacement-healthz-bind-address: '' + mesh-auth-enabled: 'true' + mesh-auth-gc-interval: 5m0s + mesh-auth-queue-size: '1024' + mesh-auth-rotated-identities-queue-size: '1024' monitor-aggregation: medium monitor-aggregation-flags: all monitor-aggregation-interval: 5s @@ -71,9 +84,14 @@ data: preallocate-bpf-maps: 'false' procfs: /host/proc prometheus-serve-addr: :9962 + proxy-connect-timeout: '2' + proxy-max-connection-duration-seconds: '0' + proxy-max-requests-per-connection: '0' proxy-prometheus-port: '9964' remove-cilium-node-taints: 'true' + routing-mode: tunnel set-cilium-is-up-condition: 'true' + set-cilium-node-taints: 'true' sidecar-istio-proxy-image: cilium/istio_proxy skip-cnp-status-startup-clean: 'false' synchronize-k8s-nodes: 'true' @@ -82,14 +100,14 @@ data: tofqdns-endpoint-max-ip-per-hostname: '50' tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: '10000' - tofqdns-min-ttl: '3600' tofqdns-proxy-response-max-delay: 100ms - tunnel: vxlan + tunnel-protocol: vxlan unmanaged-pod-watcher-interval: '15' vtep-cidr: '' vtep-endpoint: '' vtep-mac: '' vtep-mask: '' + write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist kind: ConfigMap metadata: name: cilium-config diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml index 7f6e0437..9909428c 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -152,6 +152,9 @@ rules: - ciliumnetworkpolicies.cilium.io - ciliumnodes.cilium.io - ciliumnodeconfigs.cilium.io + - ciliumcidrgroups.cilium.io + - ciliuml2announcementpolicies.cilium.io + - ciliumpodippools.cilium.io resources: - customresourcedefinitions verbs: @@ -160,10 +163,17 @@ rules: - cilium.io resources: - ciliumloadbalancerippools + - ciliumpodippools verbs: - get - list - watch + - apiGroups: + - cilium.io + resources: + - ciliumpodippools + verbs: + - create - apiGroups: - cilium.io resources: diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index e117624f..bc21885b 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -16,8 +16,8 @@ spec: name: cilium-operator strategy: rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 + maxSurge: 25% + maxUnavailable: 50% type: RollingUpdate template: metadata: @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.13.8@sha256:324d17fa59f9a5fa5f957f088567cb66f15d8771880f6ced755e79e8e4b085fd + image: quay.io/cilium/operator-generic:v1.14.10@sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -71,6 +71,16 @@ spec: periodSeconds: 10 timeoutSeconds: 3 name: cilium-operator + readinessProbe: + failureThreshold: 5 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9234 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 3 resources: limits: cpu: 100m diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml index bc26ba76..7f549fea 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 data: config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ - \nlisten-address: :4245\ndial-timeout: \nretry-timeout: \nsort-buffer-len-max:\ - \ \nsort-buffer-drain-timeout: \ndisable-client-tls: true\ndisable-server-tls:\ - \ true\n" + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ + \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ + disable-server-tls: true\n" kind: ConfigMap metadata: name: hubble-relay-config diff --git a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 0bf3739b..5b9ed4f8 100644 --- a/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/egress-gateway/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,7 +37,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.13.8@sha256:9e9971ff7a25f9b98810d6c5e623002df740a98bbde58a066b035a31d624846b + image: quay.io/cilium/hubble-relay:v1.14.10@sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0 imagePullPolicy: IfNotPresent livenessProbe: tcpSocket: @@ -49,6 +49,13 @@ spec: readinessProbe: tcpSocket: port: grpc + securityContext: + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/hubble-relay @@ -58,6 +65,8 @@ spec: kubernetes.io/os: linux priorityClassName: null restartPolicy: Always + securityContext: + fsGroup: 65532 serviceAccount: hubble-relay serviceAccountName: hubble-relay terminationGracePeriodSeconds: 1 diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml index 242018bd..c5a71720 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/clusterrole.yaml @@ -57,6 +57,9 @@ rules: - ciliumnetworkpolicies - ciliumnodes - ciliumnodeconfigs + - ciliumcidrgroups + - ciliuml2announcementpolicies + - ciliumpodippools verbs: - list - watch @@ -96,5 +99,6 @@ rules: - ciliumclusterwidenetworkpolicies/status - ciliumendpoints/status - ciliumendpoints + - ciliuml2announcementpolicies/status verbs: - patch diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml index 19a287a5..7aba7980 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml @@ -49,19 +49,7 @@ spec: fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - - name: CILIUM_CNI_CHAINING_MODE - valueFrom: - configMapKeyRef: - key: cni-chaining-mode - name: cilium-config - optional: true - - name: CILIUM_CUSTOM_CNI_CONF - valueFrom: - configMapKeyRef: - key: custom-cni-conf - name: cilium-config - optional: true - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -70,7 +58,25 @@ spec: - bash - -c - | - /cni-install.sh --enable-debug=false --cni-exclusive=true --log-file=/var/run/cilium/cilium-cni.log + set -o errexit + set -o pipefail + set -o nounset + + # When running in AWS ENI mode, it's likely that 'aws-node' has + # had a chance to install SNAT iptables rules. These can result + # in dropped traffic, so we should attempt to remove them. + # We do it using a 'postStart' hook since this may need to run + # for nodes which might have already been init'ed but may still + # have dangling rules. This is safe because there are no + # dependencies on anything that is part of the startup script + # itself, and can be safely run multiple times per node (e.g. in + # case of a restart). + if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; + then + echo 'Deleting iptables rules created by the AWS CNI VPC plugin' + iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore + fi + echo 'Done!' preStop: exec: command: @@ -186,7 +192,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -205,7 +211,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -235,7 +241,7 @@ spec: env: - name: BIN_PATH value: /var/lib/cni/bin - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -261,7 +267,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -286,13 +292,9 @@ spec: key: clean-cilium-bpf-state name: cilium-config optional: true - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: clean-cilium-state - resources: - requests: - cpu: 100m - memory: 100Mi securityContext: capabilities: add: @@ -316,7 +318,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.13.8@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + image: quay.io/cilium/cilium:v1.14.10@sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -378,10 +380,22 @@ spec: type: FileOrCreate name: xtables-lock - name: clustermesh-secrets - secret: + projected: defaultMode: 256 - optional: true - secretName: cilium-clustermesh + sources: + - secret: + name: cilium-clustermesh + optional: true + - secret: + items: + - key: tls.key + path: common-etcd-client.key + - key: tls.crt + path: common-etcd-client.crt + - key: ca.crt + path: common-etcd-client-ca.crt + name: clustermesh-apiserver-remote-cert + optional: true - hostPath: path: /proc/sys/net type: Directory diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml index fe6ba875..ce9a79be 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml @@ -15,13 +15,16 @@ data: cluster-name: default cluster-pool-ipv4-cidr: 10.128.0.0/14 cluster-pool-ipv4-mask-size: '23' - cni-uninstall: 'true' + cni-exclusive: 'true' + cni-log-file: /var/run/cilium/cilium-cni.log + cnp-node-status-gc-interval: 0s custom-cni-conf: 'false' debug: 'false' debug-verbose: '' direct-routing-device: ens+ disable-cnp-status-updates: 'true' - disable-endpoint-crd: 'false' + dnsproxy-enable-transparent-mode: 'true' + egress-gateway-reconciliation-trigger-interval: 1s enable-auto-protect-node-port-range: 'true' enable-bgp-control-plane: 'false' enable-bpf-clock-probe: 'false' @@ -34,10 +37,12 @@ data: enable-host-port: 'true' enable-hubble: 'true' enable-ipv4: 'true' + enable-ipv4-big-tcp: 'false' enable-ipv4-masquerade: 'true' enable-ipv6: 'false' enable-ipv6-big-tcp: 'false' enable-ipv6-masquerade: 'true' + enable-k8s-networkpolicy: 'true' enable-k8s-terminating-endpoint: 'true' enable-l2-neigh-discovery: 'true' enable-l7-proxy: 'true' @@ -51,6 +56,7 @@ data: enable-vtep: 'false' enable-well-known-identities: 'false' enable-xt-socket-fallback: 'true' + external-envoy-proxy: 'false' hubble-disable-tls: 'true' hubble-listen-address: :4244 hubble-socket-path: /var/run/cilium/hubble.sock @@ -59,8 +65,15 @@ data: identity-heartbeat-timeout: 30m0s install-no-conntrack-iptables-rules: 'false' ipam: cluster-pool + ipam-cilium-node-update-rate: 15s + k8s-client-burst: '10' + k8s-client-qps: '5' kube-proxy-replacement: partial kube-proxy-replacement-healthz-bind-address: '' + mesh-auth-enabled: 'true' + mesh-auth-gc-interval: 5m0s + mesh-auth-queue-size: '1024' + mesh-auth-rotated-identities-queue-size: '1024' monitor-aggregation: medium monitor-aggregation-flags: all monitor-aggregation-interval: 5s @@ -70,9 +83,14 @@ data: preallocate-bpf-maps: 'false' procfs: /host/proc prometheus-serve-addr: :9962 + proxy-connect-timeout: '2' + proxy-max-connection-duration-seconds: '0' + proxy-max-requests-per-connection: '0' proxy-prometheus-port: '9964' remove-cilium-node-taints: 'true' + routing-mode: tunnel set-cilium-is-up-condition: 'true' + set-cilium-node-taints: 'true' sidecar-istio-proxy-image: cilium/istio_proxy skip-cnp-status-startup-clean: 'false' synchronize-k8s-nodes: 'true' @@ -81,14 +99,14 @@ data: tofqdns-endpoint-max-ip-per-hostname: '50' tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: '10000' - tofqdns-min-ttl: '3600' tofqdns-proxy-response-max-delay: 100ms - tunnel: vxlan + tunnel-protocol: vxlan unmanaged-pod-watcher-interval: '15' vtep-cidr: '' vtep-endpoint: '' vtep-mac: '' vtep-mask: '' + write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist kind: ConfigMap metadata: name: cilium-config diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml index 7f6e0437..9909428c 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml @@ -152,6 +152,9 @@ rules: - ciliumnetworkpolicies.cilium.io - ciliumnodes.cilium.io - ciliumnodeconfigs.cilium.io + - ciliumcidrgroups.cilium.io + - ciliuml2announcementpolicies.cilium.io + - ciliumpodippools.cilium.io resources: - customresourcedefinitions verbs: @@ -160,10 +163,17 @@ rules: - cilium.io resources: - ciliumloadbalancerippools + - ciliumpodippools verbs: - get - list - watch + - apiGroups: + - cilium.io + resources: + - ciliumpodippools + verbs: + - create - apiGroups: - cilium.io resources: diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml index e117624f..bc21885b 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml @@ -16,8 +16,8 @@ spec: name: cilium-operator strategy: rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 + maxSurge: 25% + maxUnavailable: 50% type: RollingUpdate template: metadata: @@ -59,7 +59,7 @@ spec: key: debug name: cilium-config optional: true - image: quay.io/cilium/operator-generic:v1.13.8@sha256:324d17fa59f9a5fa5f957f088567cb66f15d8771880f6ced755e79e8e4b085fd + image: quay.io/cilium/operator-generic:v1.14.10@sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -71,6 +71,16 @@ spec: periodSeconds: 10 timeoutSeconds: 3 name: cilium-operator + readinessProbe: + failureThreshold: 5 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9234 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 3 resources: limits: cpu: 100m diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml index bc26ba76..7f549fea 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 data: config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\ - \nlisten-address: :4245\ndial-timeout: \nretry-timeout: \nsort-buffer-len-max:\ - \ \nsort-buffer-drain-timeout: \ndisable-client-tls: true\ndisable-server-tls:\ - \ true\n" + \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\ + \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ + disable-server-tls: true\n" kind: ConfigMap metadata: name: hubble-relay-config diff --git a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml index 0bf3739b..5b9ed4f8 100644 --- a/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml +++ b/tests/golden/helm-opensource/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml @@ -37,7 +37,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.13.8@sha256:9e9971ff7a25f9b98810d6c5e623002df740a98bbde58a066b035a31d624846b + image: quay.io/cilium/hubble-relay:v1.14.10@sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0 imagePullPolicy: IfNotPresent livenessProbe: tcpSocket: @@ -49,6 +49,13 @@ spec: readinessProbe: tcpSocket: port: grpc + securityContext: + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/hubble-relay @@ -58,6 +65,8 @@ spec: kubernetes.io/os: linux priorityClassName: null restartPolicy: Always + securityContext: + fsGroup: 65532 serviceAccount: hubble-relay serviceAccountName: hubble-relay terminationGracePeriodSeconds: 1 diff --git a/tests/golden/olm-opensource/cilium/cilium/olm/99_cleanup.yaml b/tests/golden/olm-opensource/cilium/cilium/olm/99_cleanup.yaml index 3e4bfa45..6be1f05b 100644 --- a/tests/golden/olm-opensource/cilium/cilium/olm/99_cleanup.yaml +++ b/tests/golden/olm-opensource/cilium/cilium/olm/99_cleanup.yaml @@ -46,7 +46,7 @@ apiVersion: batch/v1 kind: Job metadata: annotations: - argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook: PreSync argocd.argoproj.io/hook-delete-policy: HookSucceeded labels: name: cleanup-old-clusterserviceversions @@ -64,7 +64,7 @@ spec: - args: - | kubectl -n cilium get clusterserviceversion -ojson \ - | jq '.items[] | select(.spec.version | test("^1.13.8[+]") | not) | .metadata.name' \ + | jq '.items[] | select(.spec.version | test("^1.14.7[+]") | not) | .metadata.name' \ | xargs --no-run-if-empty kubectl -n cilium delete clusterserviceversions command: - sh diff --git a/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00002-cilium-olm-deployment.yaml b/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00002-cilium-olm-deployment.yaml index b333a1ad..872ff61f 100644 --- a/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00002-cilium-olm-deployment.yaml +++ b/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00002-cilium-olm-deployment.yaml @@ -31,21 +31,21 @@ spec: fieldRef: fieldPath: metadata.namespace - name: RELATED_IMAGE_CILIUM - value: quay.io/cilium/cilium@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + value: quay.io/cilium/cilium@sha256:45ce2b87696082ecf7d53ba1c64ceeb4217578033e5ef28ac479ec049a48bc32 - name: RELATED_IMAGE_HUBBLE_RELAY - value: quay.io/cilium/hubble-relay@sha256:9e9971ff7a25f9b98810d6c5e623002df740a98bbde58a066b035a31d624846b + value: quay.io/cilium/hubble-relay@sha256:46762393daf4a0aaef76b106614c2615942f98f10aeacd435ea3fb1a0bdf69e4 - name: RELATED_IMAGE_CILIUM_OPERATOR - value: quay.io/cilium/operator-generic@sha256:324d17fa59f9a5fa5f957f088567cb66f15d8771880f6ced755e79e8e4b085fd + value: quay.io/cilium/operator-generic@sha256:37ef0bd85c27c765c637cd58c3ff4a559f8734ae39f9d1839a3ac7803de7b952 - name: RELATED_IMAGE_PREFLIGHT - value: quay.io/cilium/cilium@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + value: quay.io/cilium/cilium@sha256:45ce2b87696082ecf7d53ba1c64ceeb4217578033e5ef28ac479ec049a48bc32 - name: RELATED_IMAGE_CLUSTERMESH - value: quay.io/cilium/clustermesh-apiserver@sha256:e72cee26e8b934dc6f279fec571a860b953fd45f327144ce33cf90f8c983bf37 + value: quay.io/cilium/clustermesh-apiserver@sha256:28f3ffe53365ca79831af600f09a95c0b3e9959f5f891b416dab8cedd90c263d - name: RELATED_IMAGE_CERTGEN value: quay.io/cilium/certgen@sha256:f09fccb919d157fc0a83de20011738192a606250c0ee3238e3610b6cb06c0981 - name: RELATED_IMAGE_HUBBLE_UI_BE - value: quay.io/cilium/hubble-ui-backend@sha256:f88a73a120521eeafbcdbd908f517117f6557bf61e115847853fac371f0d774c + value: quay.io/cilium/hubble-ui-backend@sha256:6a396a3674b7d90ff8c408a2e13bc70b7871431bddd63da57afcdeea1d77d27c - name: RELATED_IMAGE_HUBBLE_UI_FE - value: quay.io/cilium/hubble-ui@sha256:e15af59a2ded739e420be82de6cbdd0ce22f8d3f00e3a10b3d2d2734e074a394 + value: quay.io/cilium/hubble-ui@sha256:cc0d4f6f610409707566087895062ac40960d667dd79e4f33a4f0f393758fc1e - name: RELATED_IMAGE_ETCD_OPERATOR value: quay.io/cilium/cilium-etcd-operator@sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc - name: RELATED_IMAGE_NODEINIT @@ -56,7 +56,7 @@ spec: value: 172.30.0.1 - name: KUBERNETES_SERVICE_PORT value: 443 - image: registry.connect.redhat.com/isovalent/cilium-olm@sha256:15f7661886456a7f7277086cb76d056a3e5f13c34a30ee48cabb633afafe0a86 + image: registry.connect.redhat.com/isovalent/cilium-olm@sha256:291a05c58de8d7daefeb0689c23cadd92c9368aea09751de70eaa817f7fcc358 name: operator ports: - containerPort: 9443 diff --git a/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00005-cilium-olm-role.yaml b/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00005-cilium-olm-role.yaml index 342480d5..4127fc64 100644 --- a/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00005-cilium-olm-role.yaml +++ b/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00005-cilium-olm-role.yaml @@ -36,6 +36,7 @@ rules: - events verbs: - create + - patch - apiGroups: - '' resources: diff --git a/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00014-cilium.v1.13.8-xe0355c7-clusterserviceversion.yaml b/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00014-cilium.v1.14.7-x3522df7-clusterserviceversion.yaml similarity index 91% rename from tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00014-cilium.v1.13.8-xe0355c7-clusterserviceversion.yaml rename to tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00014-cilium.v1.14.7-x3522df7-clusterserviceversion.yaml index 3ea37ed3..995447c7 100644 --- a/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00014-cilium.v1.13.8-xe0355c7-clusterserviceversion.yaml +++ b/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00014-cilium.v1.14.7-x3522df7-clusterserviceversion.yaml @@ -7,10 +7,19 @@ metadata: CR for OpenShift"}}' capabilities: Seamless Upgrades categories: Networking,Security + features.operators.openshift.io/cni: 'true' + features.operators.openshift.io/disconnected: 'true' + features.operators.openshift.io/fips-compliant: 'false' + features.operators.openshift.io/proxy-aware: 'true' + features.operators.openshift.io/tls-profiles: 'false' + features.operators.openshift.io/token-auth-aws: 'false' + features.operators.openshift.io/token-auth-azure: 'false' + features.operators.openshift.io/token-auth-gcp: 'false' + olm.skipRange: '>=1.14.0 <1.14.7+x3522df7' operators.openshift.io/infrastructure-features: '["disconnected"]' repository: http://github.com/cilium/cilium support: support@isovalent.com - name: cilium.v1.13.8-xe0355c7 + name: cilium.v1.14.7-x3522df7 namespace: cilium spec: apiservicedefinitions: {} @@ -181,21 +190,21 @@ spec: fieldRef: fieldPath: metadata.namespace - name: RELATED_IMAGE_CILIUM - value: quay.io/cilium/cilium@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + value: quay.io/cilium/cilium@sha256:45ce2b87696082ecf7d53ba1c64ceeb4217578033e5ef28ac479ec049a48bc32 - name: RELATED_IMAGE_HUBBLE_RELAY - value: quay.io/cilium/hubble-relay@sha256:9e9971ff7a25f9b98810d6c5e623002df740a98bbde58a066b035a31d624846b + value: quay.io/cilium/hubble-relay@sha256:46762393daf4a0aaef76b106614c2615942f98f10aeacd435ea3fb1a0bdf69e4 - name: RELATED_IMAGE_CILIUM_OPERATOR - value: quay.io/cilium/operator-generic@sha256:324d17fa59f9a5fa5f957f088567cb66f15d8771880f6ced755e79e8e4b085fd + value: quay.io/cilium/operator-generic@sha256:37ef0bd85c27c765c637cd58c3ff4a559f8734ae39f9d1839a3ac7803de7b952 - name: RELATED_IMAGE_PREFLIGHT - value: quay.io/cilium/cilium@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + value: quay.io/cilium/cilium@sha256:45ce2b87696082ecf7d53ba1c64ceeb4217578033e5ef28ac479ec049a48bc32 - name: RELATED_IMAGE_CLUSTERMESH - value: quay.io/cilium/clustermesh-apiserver@sha256:e72cee26e8b934dc6f279fec571a860b953fd45f327144ce33cf90f8c983bf37 + value: quay.io/cilium/clustermesh-apiserver@sha256:28f3ffe53365ca79831af600f09a95c0b3e9959f5f891b416dab8cedd90c263d - name: RELATED_IMAGE_CERTGEN value: quay.io/cilium/certgen@sha256:f09fccb919d157fc0a83de20011738192a606250c0ee3238e3610b6cb06c0981 - name: RELATED_IMAGE_HUBBLE_UI_BE - value: quay.io/cilium/hubble-ui-backend@sha256:f88a73a120521eeafbcdbd908f517117f6557bf61e115847853fac371f0d774c + value: quay.io/cilium/hubble-ui-backend@sha256:6a396a3674b7d90ff8c408a2e13bc70b7871431bddd63da57afcdeea1d77d27c - name: RELATED_IMAGE_HUBBLE_UI_FE - value: quay.io/cilium/hubble-ui@sha256:e15af59a2ded739e420be82de6cbdd0ce22f8d3f00e3a10b3d2d2734e074a394 + value: quay.io/cilium/hubble-ui@sha256:cc0d4f6f610409707566087895062ac40960d667dd79e4f33a4f0f393758fc1e - name: RELATED_IMAGE_ETCD_OPERATOR value: quay.io/cilium/cilium-etcd-operator@sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc - name: RELATED_IMAGE_NODEINIT @@ -206,7 +215,7 @@ spec: value: 172.30.0.1 - name: KUBERNETES_SERVICE_PORT value: 443 - image: registry.connect.redhat.com/isovalent/cilium-olm@sha256:15f7661886456a7f7277086cb76d056a3e5f13c34a30ee48cabb633afafe0a86 + image: registry.connect.redhat.com/isovalent/cilium-olm@sha256:291a05c58de8d7daefeb0689c23cadd92c9368aea09751de70eaa817f7fcc358 name: operator ports: - containerPort: 9443 @@ -336,21 +345,21 @@ spec: provider: name: Isovalent relatedImages: - - image: quay.io/cilium/cilium@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + - image: quay.io/cilium/cilium@sha256:45ce2b87696082ecf7d53ba1c64ceeb4217578033e5ef28ac479ec049a48bc32 name: cilium - - image: quay.io/cilium/hubble-relay@sha256:9e9971ff7a25f9b98810d6c5e623002df740a98bbde58a066b035a31d624846b + - image: quay.io/cilium/hubble-relay@sha256:46762393daf4a0aaef76b106614c2615942f98f10aeacd435ea3fb1a0bdf69e4 name: hubble-relay - - image: quay.io/cilium/operator-generic@sha256:324d17fa59f9a5fa5f957f088567cb66f15d8771880f6ced755e79e8e4b085fd + - image: quay.io/cilium/operator-generic@sha256:37ef0bd85c27c765c637cd58c3ff4a559f8734ae39f9d1839a3ac7803de7b952 name: cilium-operator - - image: quay.io/cilium/cilium@sha256:774f0f11e171a96b59158884e0151eb522a2cf3fe23a7af7a140ae31ac30271b + - image: quay.io/cilium/cilium@sha256:45ce2b87696082ecf7d53ba1c64ceeb4217578033e5ef28ac479ec049a48bc32 name: preflight - - image: quay.io/cilium/clustermesh-apiserver@sha256:e72cee26e8b934dc6f279fec571a860b953fd45f327144ce33cf90f8c983bf37 + - image: quay.io/cilium/clustermesh-apiserver@sha256:28f3ffe53365ca79831af600f09a95c0b3e9959f5f891b416dab8cedd90c263d name: clustermesh - image: quay.io/cilium/certgen@sha256:f09fccb919d157fc0a83de20011738192a606250c0ee3238e3610b6cb06c0981 name: certgen - - image: quay.io/cilium/hubble-ui-backend@sha256:f88a73a120521eeafbcdbd908f517117f6557bf61e115847853fac371f0d774c + - image: quay.io/cilium/hubble-ui-backend@sha256:6a396a3674b7d90ff8c408a2e13bc70b7871431bddd63da57afcdeea1d77d27c name: hubble-ui-backend - - image: quay.io/cilium/hubble-ui@sha256:e15af59a2ded739e420be82de6cbdd0ce22f8d3f00e3a10b3d2d2734e074a394 + - image: quay.io/cilium/hubble-ui@sha256:cc0d4f6f610409707566087895062ac40960d667dd79e4f33a4f0f393758fc1e name: hubble-ui-frontend - image: quay.io/cilium/cilium-etcd-operator@sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc name: etcd-operator @@ -358,5 +367,5 @@ spec: name: nodeinit - image: quay.io/coreos/etcd@sha256:a67fb152d4c53223e96e818420c37f11d05c2d92cf62c05ca5604066c37295e9 name: clustermesh-etcd - replaces: cilium.v1.13.7-x37f9269 - version: 1.13.8+xe0355c7 + replaces: cilium.v1.14.6-x11464e1 + version: 1.14.7+x3522df7